{"info":{"_postman_id":"7599a47a-6d62-447a-8a21-7582421bdded","name":"Security Content API","description":"

Provides an API to Splunks Security Content located at: github.com/splunk/security-content

\n","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","toc":[],"owner":"4046507","collectionId":"7599a47a-6d62-447a-8a21-7582421bdded","publishedId":"UyrDDFiu","public":true,"customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"EF5B25"},"publishDate":"2022-04-26T20:22:43.000Z"},"item":[{"name":"detections","item":[{"name":"/detections","id":"ea1a9786-54a6-4146-9a07-7d724ce9c371","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"noauth","isInherited":false},"method":"GET","header":[],"url":"https://content.splunkresearch.com/detections","description":"

list all detections

\n","urlObject":{"path":["detections"],"host":["https://content.splunkresearch.com"],"query":[{"disabled":true,"description":{"content":"

Include community contributed content

\n","type":"text/plain"},"key":"","value":""}],"variable":[]}},"response":[{"id":"7ade5e7f-996c-412f-8518-97c0c03d6583","name":"/detections","originalRequest":{"method":"GET","header":[],"url":"https://content.splunkresearch.com/detections"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Thu, 05 Nov 2020 08:05:36 GMT"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"720907"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"050270b4-e74b-4ff3-9e92-6c36b3422abe"},{"key":"Access-Control-Allow-Origin","value":"*"},{"key":"Access-Control-Allow-Headers","value":"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"},{"key":"x-amz-apigw-id","value":"VhjKfHxtvHcFtXg="},{"key":"X-Amzn-Trace-Id","value":"Root=1-5fa3b243-61b324b349012a7a0f1035ac;Sampled=0"}],"cookie":[],"responseTime":null,"body":"{\n \"detections\": [\n {\n \"name\": \"Detect New Login Attempts to Routers\",\n \"id\": \"104658f4-afdc-499e-9719-17243rr826f1\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Framework, to identify connections that have not been seen before in the last 30 days.\",\n \"how_to_implement\": \"To successfully implement this search, you must ensure the network router devices are categorized as \\\"router\\\" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), \\\"-30d@d\\\"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name(\\\"Authentication\\\")` | `detect_new_login_attempts_to_routers_filter`\",\n \"known_false_positives\": \"Legitimate router connections may appear as new connections\",\n \"tags\": {\n \"analytics_story\": [\n \"Router and Infrastructure Security\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 11\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_login_attempts_to_routers_filter\"\n }\n ]\n },\n {\n \"name\": \"Phishing Email Detection by Machine Learning Method - SSA\",\n \"id\": \"4b237388-dfa1-41a6-91d4-4de2d598376f\",\n \"version\": 1,\n \"date\": \"2020-08-25\",\n \"description\": \"Malicious mails can conduct phishing that induces readers to open attachment, click links or trigger third party service. This detect uses Natural Language Processing (NLP) approach to analyze an email message's content (Sender, Subject and Body) and judge whether it is a phishing email. The detection adopts a deep learning (neural network) model that employs character level embeddings plus LSTM layers to perform classification. The model is pre-trained and then published as ONNX format. Current sample model is trained using the dataset published at https://github.com/splunk/attack_data/tree/master/datasets/T1566_Phishing_Email/splunk_train.json User are expected to re-train the model by combining with their own training data for better accuracy using the provided model file (SMLE notebook). DSP pipeline then processes the email message and passes it as an event to Apply ML Models function, which returns the probability of a phishing email. Current implementation assumes the email is fed to DSP in JSON format contains at least email's sender, subject and its message body, including reply content, if any.\",\n \"how_to_implement\": \"Events are fed to DSP contains at least email's sender, subject and its message body.\",\n \"references\": [],\n \"type\": \"SSA\",\n \"author\": \"Xiao Lin, Splunk\",\n \"search\": \"| from read_ssa_enriched_events() | where source_type=\\\"email\\\" | eval strJsn=cast(body, \\\"string\\\"), jsonMap=from_json_object(strJsn), eventLine=concat(ucast(map_get(jsonMap, \\\"From\\\"), \\\"string\\\", \\\" \\\"), \\\" \\\", ucast(map_get(jsonMap, \\\"Subject\\\"), \\\"string\\\", \\\" \\\"), \\\" \\\", ucast(map_get(jsonMap, \\\"Content\\\"), \\\"string\\\", \\\" \\\"), \\\" \\\"), Date=ucast(map_get(jsonMap, \\\"Date\\\"), \\\"string\\\", \\\" NA\\\") | where eventLine IS NOT NULL | eval mapC={\\\" \\\": 32, \\\"!\\\": 33, \\\"\\\\\\\"\\\": 34, \\\"#\\\": 35, \\\"$\\\": 36, \\\"%\\\": 37, \\\"&\\\": 38, \\\"`\\\": 39, \\\"(\\\": 40, \\\")\\\": 41, \\\"*\\\": 42, \\\"+\\\": 43, \\\",\\\": 44, \\\"-\\\": 45, \\\".\\\": 46, \\\"/\\\": 47, \\\"0\\\": 48, \\\"1\\\": 49, \\\"2\\\": 50, \\\"3\\\": 51, \\\"4\\\": 52, \\\"5\\\": 53, \\\"6\\\": 54, \\\"7\\\": 55, \\\"8\\\": 56, \\\"9\\\": 57, \\\":\\\": 58, \\\";\\\": 59, \\\"<\\\": 60, \\\"=\\\": 61, \\\">\\\": 62, \\\"?\\\": 63, \\\"@\\\": 64, \\\"A\\\": 65, \\\"B\\\": 66, \\\"C\\\": 67, \\\"D\\\": 68, \\\"E\\\": 69, \\\"F\\\": 70, \\\"G\\\": 71, \\\"H\\\": 72, \\\"I\\\": 73, \\\"J\\\": 74, \\\"K\\\": 75, \\\"L\\\": 76, \\\"M\\\": 77, \\\"N\\\": 78, \\\"O\\\": 79, \\\"P\\\": 80, \\\"Q\\\": 81, \\\"R\\\": 82, \\\"S\\\": 83, \\\"T\\\": 84, \\\"U\\\": 85, \\\"V\\\": 86, \\\"W\\\": 87, \\\"X\\\": 88, \\\"Y\\\": 89, \\\"Z\\\": 90, \\\"[\\\": 91, \\\"\\\\\\\\\\\": 92, \\\"]\\\": 93, \\\"^\\\": 94, \\\"_\\\": 95, \\\"`\\\": 96, \\\"a\\\": 97, \\\"b\\\": 98, \\\"c\\\": 99, \\\"d\\\": 100, \\\"e\\\": 101, \\\"f\\\": 102, \\\"g\\\": 103, \\\"h\\\": 104, \\\"i\\\": 105, \\\"j\\\": 106, \\\"k\\\": 107, \\\"l\\\": 108, \\\"m\\\": 109, \\\"n\\\": 110, \\\"o\\\": 111, \\\"p\\\": 112, \\\"q\\\": 113, \\\"r\\\": 114, \\\"s\\\": 115, \\\"t\\\": 116, \\\"u\\\": 117, \\\"v\\\": 118, \\\"w\\\": 119, \\\"x\\\": 120, \\\"y\\\": 121, \\\"z\\\": 122, \\\"{\\\": 123, \\\"|\\\": 124, \\\"}\\\": 125, \\\"~\\\": 126}, `embedding_input:0` = for_each(iterator(mvrange(1,129), \\\"i\\\"), cast(map_get(mapC, substr(eventLine, i, 1)), \\\"float\\\") ) | apply_model connection_id=\\\"YOUR_S3_ONNX_CONNECTOR_ID\\\" name=\\\"phishing_email_v7\\\" path=\\\"s3://smle-experiments/models/phishing_email\\\" | eval probability = mvindex(`dense/Sigmoid:0`, 0) | where probability > 0.5 | eval start_time=Date, end_time=Date, entities=\\\"TBD\\\", body=\\\"TBD\\\" | select probability, body, entities, start_time, end_time | into write_ssa_detected_events();\",\n \"known_false_positives\": \"Because of imbalance of anomaly data in training, the model will less likely report false positive. Instead, the model is more prone to false negative. Current best recall score is ~85%\",\n \"tags\": {\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_technique_id\": [\n \"T1566\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"risk_severity\": \"low\",\n \"security_domain\": \"mail server\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"Email Attachments With Lots Of Spaces\",\n \"id\": \"56e877a6-1455-4479-ada6-0550dc1e22f8\",\n \"version\": 2,\n \"date\": \"2017-09-19\",\n \"description\": \"Attackers often use spaces as a means to obfuscate an attachment's file extension. This search looks for messages with email attachments that have many spaces within the file names.\",\n \"how_to_implement\": \"You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. \\\\\\n **Splunk Phantom Playbook Integration**\\\\\\nIf Splunk Phantom is also configured in your environment, a playbook called \\\"Suspicious Email Attachment Investigate and Delete\\\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\\\"*\\\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Email\\\")` | eval space_ratio = (mvcount(split(file_name,\\\" \\\"))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address \\\"(?.*)@\\\" | `email_attachments_with_lots_of_spaces_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Suspicious Emails\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"email_attachments_with_lots_of_spaces_filter\"\n }\n ]\n },\n {\n \"name\": \"Email files written outside of the Outlook directory\",\n \"id\": \"ee18ed37-0802-4268-9435-b3b91aaa18xx\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\My Documents\\\\\\\\Outlook Files\\\\\\\\*\\\" Filesystem.file_path!=\\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Outlook*\\\" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name(\\\"Filesystem\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter` \",\n \"known_false_positives\": \"Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.\",\n \"tags\": {\n \"analytics_story\": [\n \"Collection and Staging\"\n ],\n \"mitre_attack_id\": [\n \"T1114.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Local Email Collection\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"email_files_written_outside_of_the_outlook_directory_filter\"\n }\n ]\n },\n {\n \"name\": \"Email servers sending high volume traffic to hosts\",\n \"id\": \"7f5fb3e1-4209-4914-90db-0ec21b556378\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \\\"email_server\\\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \\\"deviation_threshold\\\" field is a multiplying factor to control how much variation you're willing to tolerate. The \\\"minimum_data_samples\\\" field is the minimum number of connections of data samples required for the statistic to be valid.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name(\\\"All_Traffic\\\")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \\\"@d\\\"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), \\\"@d\\\"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), \\\"@d\\\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`\",\n \"known_false_positives\": \"The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.\",\n \"tags\": {\n \"analytics_story\": [\n \"Collection and Staging\"\n ],\n \"mitre_attack_id\": [\n \"T1114.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Email Collection\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"APT1\",\n \"FIN4\",\n \"APT28\",\n \"Dragonfly 2.0\",\n \"Ke3chang\",\n \"Leafminer\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"email_servers_sending_high_volume_traffic_to_hosts_filter\"\n }\n ]\n },\n {\n \"name\": \"Identify New User Accounts\",\n \"id\": \"475b9e27-17e4-46e2-b7e2-648221be3b89\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.\",\n \"how_to_implement\": \"To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, \\\"Accounts created in last week\\\") | search empStatus=\\\"Accounts created in last week\\\"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate | `identify_new_user_accounts_filter`\",\n \"known_false_positives\": \"If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately.\",\n \"tags\": {\n \"analytics_story\": [\n \"Account Monitoring and Controls\"\n ],\n \"mitre_attack_id\": [\n \"T1078.002\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Domain Server\",\n \"mitre_attack_technique\": [\n \"Domain Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"APT3\",\n \"Threat Group-1314\"\n ]\n },\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"identify_new_user_accounts_filter\"\n }\n ]\n },\n {\n \"name\": \"Monitor Email For Brand Abuse\",\n \"id\": \"b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8\",\n \"version\": 2,\n \"date\": \"2018-01-05\",\n \"description\": \"This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse.\",\n \"how_to_implement\": \"You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search \\\"ESCU - DNSTwist Domain Names\\\", which creates the permutations of the domain that will be checked for.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name(\\\"All_Email\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, \\\"@\\\") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"DNSTwist Domain Names\",\n \"id\": \"19f7d2ec-6028-4d01-bcdb-bda9a034c17f\",\n \"version\": 2,\n \"date\": \"2018-10-08\",\n \"description\": \"This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches.\",\n \"how_to_implement\": \"To successfully implement this search you need to update the file called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv` and `cim_corporate_web_domains.csv` from **Splunk\\\\_SA\\\\_CIM**.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse=\\\"true\\\" | table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"detections\": [\n \"Monitor Email For Brand Abuse\",\n \"Monitor DNS For Brand Abuse\",\n \"Monitor Web Traffic For Brand Abuse\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"monitor_email_for_brand_abuse_filter\"\n }\n ]\n },\n {\n \"name\": \"Multiple Okta Users With Invalid Credentails From The Same IP\",\n \"id\": \"19cba45f-cad3-4032-8911-0c09e0444552\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search detects Okta login failures due to bad credentials for multiple users originating from the same ip address.\",\n \"how_to_implement\": \"This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.\",\n \"type\": \"ESCU\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`okta` outcome.reason=INVALID_CREDENTIALS | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(user) as distinct_users values(user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentails_from_the_same_ip_filter` \",\n \"known_false_positives\": \"A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro XXXXXXXXXXXXX to raise the threshold or except specific IP adresses from triggering this search.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Okta Activity\"\n ],\n \"mitre_attack_id\": [\n \"T1078.001\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Default Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=okta_log\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"okta\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"multiple_okta_users_with_invalid_credentails_from_the_same_ip_filter\"\n }\n ]\n },\n {\n \"name\": \"No Windows Updates in a time frame\",\n \"id\": \"1a77c08c-2f56-409c-a2d3-7d64617edd4f\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason.\",\n \"how_to_implement\": \"To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product=\\\"Microsoft Windows\\\" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as \\\"Update Status\\\" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), \\\"-60d@d\\\"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as \\\"Last Update Time\\\", | table Host, \\\"Update Status\\\", Product, \\\"Last Update Time\\\" | `no_windows_updates_in_a_time_frame_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor for Updates\"\n ],\n \"cis20\": [\n \"CIS 18\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.MA\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"no_windows_updates_in_a_time_frame_filter\"\n }\n ]\n },\n {\n \"name\": \"Okta Account Lockout Events\",\n \"id\": \"62b70968-a0a5-4724-8ac4-67871e6f544d\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"Detect Okta user lockout events\",\n \"how_to_implement\": \"This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.\",\n \"type\": \"ESCU\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`okta` displayMessage=\\\"Max sign in attempts exceeded\\\" | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, country, state, city, src_ip | `okta_account_lockout_events_filter` \",\n \"known_false_positives\": \"None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Okta Activity\"\n ],\n \"mitre_attack_id\": [\n \"T1078.001\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Default Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=okta_log\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"okta\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"okta_account_lockout_events_filter\"\n }\n ]\n },\n {\n \"name\": \"Okta Failed SSO Attempts\",\n \"id\": \"371a6545-2618-4032-ad84-93386b8698c5\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"Detect failed Okta SSO events\",\n \"how_to_implement\": \"This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.\",\n \"type\": \"ESCU\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`okta` displayMessage=\\\"User attempted unauthorized access to app\\\" | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter` \",\n \"known_false_positives\": \"There may be a faulty config preventing legitmate users from accessing apps they should have access to.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Okta Activity\"\n ],\n \"mitre_attack_id\": [\n \"T1078.001\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Default Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=okta_log\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"okta\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"okta_failed_sso_attempts_filter\"\n }\n ]\n },\n {\n \"name\": \"Okta User Logins From Multiple Cities\",\n \"id\": \"7594fa07-9f34-4d01-81cc-d6af6a5db9e8\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search detects logins from the same user from different states in a 24 hour period.\",\n \"how_to_implement\": \"This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.\",\n \"type\": \"ESCU\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`okta` displayMessage=\\\"User login to Okta\\\" client.geographicalContext.city!=null | stats min(_time) as firstTime max(_time) as lastTime dc(client.geographicalContext.city) as locations values(client.geographicalContext.city) as cities values(client.geographicalContext.state) as states by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `okta_user_logins_from_multiple_cities_filter` | search locations > 1\",\n \"known_false_positives\": \"Users in your enviornment may legitmately be travelling and loggin in from different locations. This search is useful for those users that should *not* be travelling for some reason, such as the COVID-19 pandemic. The search also relies on the geographical information being populated in the Okta logs. It is also possible that a connection from another region may be attributed to a login from a remote VPN endpoint.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Okta Activity\"\n ],\n \"mitre_attack_id\": [\n \"T1078.001\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Default Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=okta_log\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"okta\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"okta_user_logins_from_multiple_cities_filter\"\n }\n ]\n },\n {\n \"name\": \"Open Redirect in Splunk Web\",\n \"id\": \"d199fb99-2312-451a-9daa-e5efa6ed76a7\",\n \"version\": 1,\n \"date\": \"2017-09-19\",\n \"description\": \"This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability.\",\n \"how_to_implement\": \"No extra steps needed to implement this search.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"index=_internal sourcetype=splunk_web_access return_to=\\\"/%09/*\\\" | `open_redirect_in_splunk_web_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Splunk Enterprise Vulnerability\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 4\",\n \"CIS 18\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"RS.MI\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.IP\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Splunk Server\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"open_redirect_in_splunk_web_filter\"\n }\n ]\n },\n {\n \"name\": \"Spectre and Meltdown Vulnerable Systems\",\n \"id\": \"354be8e0-32cd-4da0-8c47-796de13b60ea\",\n \"version\": 1,\n \"date\": \"2017-01-07\",\n \"description\": \"The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.\",\n \"how_to_implement\": \"The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve =\\\"CVE-2017-5753\\\" OR Vulnerabilities.cve =\\\"CVE-2017-5715\\\" OR Vulnerabilities.cve =\\\"CVE-2017-5754\\\" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter`\",\n \"known_false_positives\": \"It is possible that your vulnerability scanner is not detecting that the patches have been applied.\",\n \"tags\": {\n \"analytics_story\": [\n \"Spectre And Meltdown Vulnerabilities\"\n ],\n \"cis20\": [\n \"CIS 4\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"RS.MI\",\n \"PR.IP\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Systems Ready for Spectre-Meltdown Windows Patch\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd61\",\n \"version\": 1,\n \"date\": \"2018-01-08\",\n \"description\": \"Some AV applications can cause the Spectre/Meltdown patch for Windows not to install successfully. This registry key is supposed to be created by the AV engine when it has been patched to be able to handle the Windows patch. If this key has been written, the system can then be patched for Spectre and Meltdown.\",\n \"how_to_implement\": \"You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path=\\\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\QualityCompat*\\\") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\\\"All_Changes\\\")`\",\n \"tags\": {\n \"analytics_story\": [\n \"Spectre And Meltdown Vulnerabilities\"\n ],\n \"detections\": [\n \"Spectre and Meltdown Vulnerable Systems\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"spectre_and_meltdown_vulnerable_systems_filter\"\n }\n ]\n },\n {\n \"name\": \"Splunk Enterprise Information Disclosure\",\n \"id\": \"f6a26b7b-7e80-4963-a9a8-d836e7534ebd\",\n \"version\": 1,\n \"date\": \"2018-06-14\",\n \"description\": \"This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug.\",\n \"how_to_implement\": \"The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path=\\\"*raw/services/server/info/server-info\\\" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter`\",\n \"known_false_positives\": \"Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information.\",\n \"tags\": {\n \"analytics_story\": [\n \"Splunk Enterprise Vulnerability CVE-2018-11409\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 4\",\n \"CIS 18\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"RS.MI\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.IP\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Splunk Server\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"splunk_enterprise_information_disclosure_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Email - UBA Anomaly\",\n \"id\": \"56e877a6-1455-4479-ad16-0550dc1e33f8\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).\",\n \"how_to_implement\": \"You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called \\\"SuspiciousEmailDetectionModel.\\\" Ensure that this model is enabled on your UBA instance.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = \\\"SuspiciousEmailDetectionModel\\\" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter`\",\n \"known_false_positives\": \"This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and whitelist the URL if you determine that it is a legitimate sender.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Emails\"\n ],\n \"mitre_attack_id\": [\n \"T1566\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Phishing\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_email___uba_anomaly_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Email Attachment Extensions\",\n \"id\": \"473bd65f-06ca-4dfe-a2b8-ba04ab4a0084\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for emails that have attachments with suspicious file extensions.\",\n \"how_to_implement\": \"You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \\\\\\n **Splunk Phantom Playbook Integration**\\\\\\nIf Splunk Phantom is also configured in your environment, a Playbook called \\\"Suspicious Email Attachment Investigate and Delete\\\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\\\"*\\\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Email\\\")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter` \",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Suspicious Emails\"\n ],\n \"mitre_attack_id\": [\n \"T1566.001\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Spearphishing Attachment\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"Windshift\",\n \"APT33\",\n \"Sandworm Team\",\n \"Naikon\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Mofang\",\n \"Wizard Spider\",\n \"RTM\",\n \"Frankenstein\",\n \"Inception\",\n \"BlackTech\",\n \"APT-C-36\",\n \"APT41\",\n \"Machete\",\n \"admin@338\",\n \"Kimsuky\",\n \"APT12\",\n \"TA505\",\n \"Silence\",\n \"The White Company\",\n \"APT39\",\n \"FIN4\",\n \"Darkhotel\",\n \"Gallmaker\",\n \"Tropic Trooper\",\n \"Turla\",\n \"Gorgon Group\",\n \"Rancor\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"FIN7\",\n \"OilRig\",\n \"Lazarus Group\",\n \"APT19\",\n \"Dragonfly 2.0\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"FIN8\",\n \"MuddyWater\",\n \"APT28\",\n \"TA459\",\n \"Leviathan\",\n \"Patchwork\",\n \"PLATINUM\",\n \"Elderwood\",\n \"APT29\",\n \"APT37\",\n \"menuPass\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true\",\n \"description\": \"This macro limits the output to email attachments that have suspicious extensions\",\n \"name\": \"suspicious_email_attachments\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_email_attachment_extensions_filter\"\n }\n ]\n },\n {\n \"name\": \"Abnormally High AWS Instances Launched by User\",\n \"id\": \"2a9b80d3-6340-4345-b5ad-290bf5d0dac4\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \\\"-10m@m\\\") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter`\",\n \"known_false_positives\": \"Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"risk_score\": 40,\n \"risk_object_type\": \"user\",\n \"risk_object\": \"userName\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"abnormally_high_aws_instances_launched_by_user_filter\"\n }\n ]\n },\n {\n \"name\": \"Abnormally High AWS Instances Launched by User - MLTK\",\n \"id\": \"dec41ad5-d579-42cb-b4c6-f5dbb778bbe5\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename \\\"IsOutlier(instances_launched)\\\" as isOutlier | where isOutlier=1\",\n \"known_false_positives\": \"Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Excessive AWS Instances Launched by User - MLTK\",\n \"id\": \"fa5634df-fb05-4b4b-aba0-6115138bb1ba\",\n \"version\": 1,\n \"date\": \"2019-11-14\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model for how many RunInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of RunInstances performed by a user in a small time window.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\\\\\\nIn addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\\\\\\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success `ec2_excessive_runinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | fit DensityFunction instances_launched threshold=0.0005 into ec2_excessive_runinstances_v1\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"Abnormally High AWS Instances Launched by User - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"abnormally_high_aws_instances_launched_by_user___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"Abnormally High AWS Instances Terminated by User\",\n \"id\": \"ada0f478-84a8-4641-s3f3-d82362dffd75\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \\\"-10m@m\\\")| eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter`\",\n \"known_false_positives\": \"Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"abnormally_high_aws_instances_terminated_by_user_filter\"\n }\n ]\n },\n {\n \"name\": \"Abnormally High AWS Instances Terminated by User - MLTK\",\n \"id\": \"1c02b86a-cd85-473e-a50b-014a9ac8fe3e\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events where a user successfully terminates an abnormally high number of instances.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename \\\"IsOutlier(instances_terminated)\\\" as isOutlier | where isOutlier=1\",\n \"known_false_positives\": \"Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Excessive AWS Instances Terminated by User - MLTK\",\n \"id\": \"b28ed6de-e4ba-40f7-ae0a-93a088c774ab\",\n \"version\": 1,\n \"date\": \"2019-11-14\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model for how many TerminateInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of TerminateInstances performed by a user in a small time window.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\\\\\\nIn addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\\\\\\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=TerminateInstances errorCode=success `ec2_excessive_terminateinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | fit DensityFunction instances_terminated threshold=0.0005 into ec2_excessive_terminateinstances_v1\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"Abnormally High AWS Instances Terminated by User - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"abnormally_high_aws_instances_terminated_by_user___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"Amazon EKS Kubernetes cluster scan detection\",\n \"id\": \"294c4686-63dd-4fe6-93a2-ca807626704a\",\n \"version\": 1,\n \"date\": \"2020-04-15\",\n \"description\": \"This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Splunk\",\n \"search\": \"`aws_cloudwatchlogs_eks` \\\"user.username\\\"=\\\"system:anonymous\\\" userAgent!=\\\"AWS Security Scanner\\\" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter` \",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context.\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Amazon EKS Kubernetes cluster\",\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"amazon_eks_kubernetes_cluster_scan_detection_filter\"\n }\n ]\n },\n {\n \"name\": \"Amazon EKS Kubernetes Pod scan detection\",\n \"id\": \"dbfca1dd-b8e5-4ba4-be0e-e565e5d62002\",\n \"version\": 1,\n \"date\": \"2020-04-15\",\n \"description\": \"This search provides detection information on unauthenticated requests against Kubernetes' Pods API\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Splunk\",\n \"search\": \"`aws_cloudwatchlogs_eks` \\\"user.username\\\"=\\\"system:anonymous\\\" verb=list objectRef.resource=pods requestURI=\\\"/api/v1/pods\\\" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter` \",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Amazon EKS Kubernetes cluster Pod\",\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"amazon_eks_kubernetes_pod_scan_detection_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Cloud Provisioning From Previously Unseen City\",\n \"id\": \"344a1778-0b25-490c-adb1-de8beddf59cd\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with \\\"Run\\\" or \\\"Create.\\\" \",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen AWS Provisioning Activity Sources\\\" support search once to create a history of previously seen locations that have provisioned AWS resources.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter`\",\n \"known_false_positives\": \"This is a strictly behavioral search, so we define \\\"false positive\\\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\\\\\\n This search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"risk_score\": 25,\n \"risk_object_type\": \"user\",\n \"risk_object\": \"user\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Provisioning Activity Sources\",\n \"id\": \"ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"detections\": [\n \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"AWS Cloud Provisioning From Previously Unseen City\",\n \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"AWS Cloud Provisioning From Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_cloud_provisioning_from_previously_unseen_city_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"id\": \"ceb8d3d8-06cb-49eb-beaf-829526e33ff0\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with \\\"Run\\\" or \\\"Create.\\\" \",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen AWS Provisioning Activity Sources\\\" support search once to create a history of previously seen locations that have provisioned AWS resources.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter`\",\n \"known_false_positives\": \"This is a strictly behavioral search, so we define \\\"false positive\\\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\\\\\\n This search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Provisioning Activity Sources\",\n \"id\": \"ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"detections\": [\n \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"AWS Cloud Provisioning From Previously Unseen City\",\n \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"AWS Cloud Provisioning From Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_cloud_provisioning_from_previously_unseen_country_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"id\": \"42e15012-ac14-4801-94f4-f1acbe64880b\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with \\\"Run\\\" or \\\"Create.\\\" \",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen AWS Provisioning Activity Sources\\\" support search once to create a history of previously seen locations that have provisioned AWS resources.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`\",\n \"known_false_positives\": \"This is a strictly behavioral search, so we define \\\"false positive\\\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\\\\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Provisioning Activity Sources\",\n \"id\": \"ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"detections\": [\n \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"AWS Cloud Provisioning From Previously Unseen City\",\n \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"AWS Cloud Provisioning From Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_cloud_provisioning_from_previously_unseen_ip_address_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Cloud Provisioning From Previously Unseen Region\",\n \"id\": \"7971d3df-da82-4648-a6e5-b5637bea5253\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with \\\"Run\\\" or \\\"Create.\\\"\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen AWS Provisioning Activity Sources\\\" support search once to create a history of previously seen locations that have provisioned AWS resources.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`\",\n \"known_false_positives\": \"This is a strictly behavioral search, so we define \\\"false positive\\\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\\\\\\n This search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Provisioning Activity Sources\",\n \"id\": \"ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"detections\": [\n \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"AWS Cloud Provisioning From Previously Unseen City\",\n \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"AWS Cloud Provisioning From Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_cloud_provisioning_from_previously_unseen_region_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Cross Account Activity From Previously Unseen Account\",\n \"id\": \"64fbbddf-fabf-4edf-80b3-0cc36ef37727\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for AssumeRole events where an IAM role in a different account is requested for the first time.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the `Previously Seen AWS Cross Account Activity` support search only once to create the baseline of previously seen cross account activity. Thanks to Pablo Vega at Recurly for suggesting improvements to the search.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=AssumeRole | spath output=requestingAccountId path=userIdentity.accountId | spath output=requestedAccountId path=resources{}.accountId | search requestingAccountId=* | where requestingAccountId != requestedAccountId | inputlookup append=t previously_seen_aws_cross_account_activity | multireport [| stats min(eval(coalesce(firstTime, _time))) as firstTime max(eval(coalesce(lastTime, _time))) as lastTime by requestingAccountId, requestedAccountId | outputlookup previously_seen_aws_cross_account_activity | where fact=fiction] [| eventstats min(eval(coalesce(firstTime, _time))) as firstTime, max(eval(coalesce(lastTime, _time))) as lastTime by requestingAccountId, requestedAccountId | where firstTime >= relative_time(now(), \\\"-70m@m\\\") AND isnotnull(_time) | spath output=accessKeyId path=responseElements.credentials.accessKeyId | spath output=requestingARN path=resources{}.ARN | stats values(awsRegion) as awsRegion values(firstTime) as firstTime values(lastTime) as lastTime values(sharedEventID) as sharedEventID, values(requestingARN) as src_user, values(responseElements.assumedRoleUser.arn) as dest_user by _time, requestingAccountId, requestedAccountId, accessKeyId] | table _time, firstTime, lastTime, src_user, requestingAccountId, dest_user, requestedAccountId, awsRegion, accessKeyId, sharedEventID | `aws_cross_account_activity_from_previously_unseen_account_filter`\",\n \"known_false_positives\": \"Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.AC\",\n \"PR.DS\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Cross Account Activity\",\n \"id\": \"1cc22b09-c867-416e-a511-cb36ac44aee2\",\n \"version\": 1,\n \"date\": \"2018-06-04\",\n \"description\": \"This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Validate the user name entries in `previously_seen_aws_cross_account_activity.csv`, a lookup file created by this support search.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=AssumeRole | spath output=requestingAccountId path=userIdentity.accountId | spath output=requestedAccountId path=resources{}.accountId | search requestingAccountId=* | where requestingAccountId!=requestedAccountId | stats earliest(_time) as firstTime latest(_time) as lastTime by requestingAccountId, requestedAccountId | outputlookup previously_seen_aws_cross_account_activity | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"detections\": [\n \"AWS Cross Account Activity From Previously Unseen Account\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_cross_account_activity_from_previously_unseen_account_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-27\",\n \"description\": \"This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges.\",\n \"how_to_implement\": \"You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"88fc31dd-f331-448c-9856-d3d51dd5d3a1\",\n \"known_false_positives\": \"Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.\",\n \"name\": \"aws detect attach to role policy\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"asset_type\": \"AWS Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_detect_attach_to_role_policy_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-27\",\n \"description\": \"This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor.\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"12d6d713-3cb4-4ffc-a064-1dca3d1cca01\",\n \"known_false_positives\": \"Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.\",\n \"name\": \"aws detect permanent key creation\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey \\\"userIdentity.type\\\"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"asset_type\": \"AWS Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_detect_permanent_key_creation_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-27\",\n \"description\": \"This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.\",\n \"how_to_implement\": \"You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"5f04081e-ddee-4353-afe4-504f288de9ad\",\n \"known_false_positives\": \"CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.\",\n \"name\": \"aws detect role creation\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"asset_type\": \"AWS Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_detect_role_creation_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-27\",\n \"description\": \"This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudtrail logs\",\n \"id\": \"8e565314-b6a2-46d8-9f05-1a34a176a662\",\n \"known_false_positives\": \"Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse.\",\n \"name\": \"aws detect sts assume role abuse\",\n \"references\": [],\n \"search\": \"`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"asset_type\": \"AWS Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_detect_sts_assume_role_abuse_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-27\",\n \"description\": \"This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.\",\n \"how_to_implement\": \"You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"85d7b35f-b8b5-4b01-916f-29b81e7a0551\",\n \"known_false_positives\": \"Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used.\",\n \"name\": \"aws detect sts get session token abuse\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"asset_type\": \"AWS Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1550\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Use Alternate Authentication Material\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_detect_sts_get_session_token_abuse_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Network Access Control List Created with All Open Ports\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d82362d6bd75\",\n \"version\": 1,\n \"date\": \"2017-01-10\",\n \"description\": \"The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your CloudTrail inputs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=CreateNetworkAclEntry | mvexpand requestParameters | mvexpand responseElements | search requestParameters.portRange.from=1024 requestParameters.portRange.to=65535 requestParameters.ruleAction=allow | rename userIdentity.arn as arn | rename requestParameters.networkAclId as networkAclId | table _time aws_account_id src userName arn networkAclId requestParameters.* responseElements.* | `aws_network_access_control_list_created_with_all_open_ports_filter`\",\n \"known_false_positives\": \"It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_network_access_control_list_created_with_all_open_ports_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Network Access Control List Deleted\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d82362d6fd75\",\n \"version\": 1,\n \"date\": \"2017-01-10\",\n \"description\": \"Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the CloudTrail logs to detect users deleting network ACLs.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `aws_network_access_control_list_deleted_filter`\",\n \"known_false_positives\": \"It's possible that a user has legitimately deleted a network ACL.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_network_access_control_list_deleted_filter\"\n }\n ]\n },\n {\n \"name\": \"Cloud Compute Instance Created By Previously Unseen User\",\n \"id\": \"76988f6a-3935-48f6-a9e5-6fca8b3ed843\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for cloud compute instances created by users who have not created them before.\",\n \"how_to_implement\": \"You must be ingesting the appropriate cloud-infrastructure logs and have the Security Research cloud data model (https://github.com/splunk/cloud-datamodel-security-research/) installed. Run the \\\"Previously Seen Cloud Compute Creations By User\\\" support search to create of baseline of previously seen users.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.action=run by Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | inputlookup append=t previously_seen_cloud_compute_creations_by_user | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by src_user | multireport [| table src_user, firstTime, lastTime | outputlookup previously_seen_cloud_compute_creations_by_user | where fact=fiction][| eval new_user=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_creations_by_user_search_window_begin_offset`), 1, 0) | where new_user=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table src_user, dest, firstTime, lastTime | `cloud_compute_instance_created_by_previously_unseen_user_filter`\",\n \"known_false_positives\": \"It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Cloud Compute Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Cloud Compute Creations By User\",\n \"id\": \"9fa1c205-4e08-4681-bb1b-d0943e734b85\",\n \"version\": 1,\n \"date\": \"2018-03-15\",\n \"description\": \"This search builds a table of previously seen users that have launched a cloud compute instance.\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_creations_by_user_input_filter` by Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_compute_creations_by_user | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Created By Previously Unseen User\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the user is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_compute_creations_by_user_search_window_begin_offset\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"cloud_compute_instance_created_by_previously_unseen_user_filter\"\n }\n ]\n },\n {\n \"name\": \"Cloud Compute Instance Created With Previously Unseen Image\",\n \"id\": \"bc24922d-987c-4645-b288-f8c73ec194c4\",\n \"version\": 1,\n \"date\": \"2018-10-12\",\n \"description\": \"This search looks for cloud compute instances being created with previously unseen image IDs.\",\n \"how_to_implement\": \"You must be ingesting the appropriate cloud-infrastructure logs and have the Security Research cloud data model (https://github.com/splunk/cloud-datamodel-security-research/) installed. Run the \\\"Previously Seen Cloud Compute Images\\\" support search to create a baseline of previously seen images.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `cloud_compute_instance_created_with_previously_unseen_image_filter` by Compute.image_id, Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | inputlookup append=t previously_seen_cloud_compute_images | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by image_id, src_user | multireport [| table image_id, firstTime, lastTime | outputlookup previously_seen_cloud_compute_images | where fact=fiction][| eval new_image=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_image_search_window_begin_offset`), 1, 0) | where new_image=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table image_id, dest, src_user, firstTime, lastTime\",\n \"known_false_positives\": \"After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Cloud Compute Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Cloud Compute Images\",\n \"id\": \"3782ad10-5ce2-46e2-b9c4-1de9ecd3aecc\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"This search builds a table of previously seen images used to launch cloud compute instances\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_image_input_filter` by Compute.image_id | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_compute_images | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Created With Previously Unseen Image\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the image is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_compute_image_search_window_begin_offset\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"cloud_compute_instance_created_with_previously_unseen_image_filter\"\n }\n ]\n },\n {\n \"name\": \"Cloud Compute Instance Created With Previously Unseen Instance Type\",\n \"id\": \"c6ddbf53-9715-49f3-bb4c-fb2e8a309cda\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"Find EC2 instances being created with previously unseen instance types.\",\n \"how_to_implement\": \"You must be ingesting the appropriate cloud-infrastructure logs and have the Security Research cloud data model (https://github.com/splunk/cloud-datamodel-security-research/) installed. Run the \\\" Previously Seen Cloud Compute Instance Types\\\" support search to create a baseline of previously seen regions.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.event_name=RunInstances `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` by Compute.instance_type, Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | inputlookup append=t previously_seen_cloud_compute_instance_types | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by instance_type, src_user | multireport [| table instance_type, firstTime, lastTime | outputlookup previously_seen_cloud_compute_instance_types | where fact=fiction][| eval new_type=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_instance_types_search_window_begin_offset`), 1, 0) | where new_type=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table instance_type, dest, src_user, firstTime, lastTime\",\n \"known_false_positives\": \"It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Cloud Compute Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Cloud Compute Instance Types\",\n \"id\": \"0ef13d46-164e-4cf5-816e-b3c0df170d00\",\n \"version\": 1,\n \"date\": \"2019-10-03\",\n \"description\": \"This search builds a table of previously seen cloud compute instance types\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_instance_types_input_filter` by Compute.instance_type | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_compute_instance_types | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Created With Previously Unseen Instance Type\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the instance type is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_compute_instance_types_search_window_begin_offset\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"cloud_compute_instance_created_with_previously_unseen_instance_type_filter\"\n }\n ]\n },\n {\n \"name\": \"Cloud Compute Instance Started In Previously Unused Region\",\n \"id\": \"fa4089e2-50e3-40f7-8469-d2cc1564ca59\",\n \"version\": 1,\n \"date\": \"2019-10-02\",\n \"description\": \"This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.\",\n \"how_to_implement\": \"You must be ingesting the appropriate cloud-infrastructure logs and have the Security Research cloud data model (https://github.com/splunk/cloud-datamodel-security-research/) installed. Run the \\\\\\\"Previously Seen Cloud Compute Instance Types\\\\\\\" support search to create a baseline of previously seen regions.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.event_name=RunInstances `cloud_compute_instance_started_in_previously_unused_region_filter` by Compute.region, Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | inputlookup append=t previously_seen_cloud_regions | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by region, src_user | multireport [| table region, firstTime, lastTime | outputlookup previously_seen_cloud_regions | where fact=fiction][| eval new_region=if(firstTime >= relative_time(now(), `previously_seen_cloud_regions_search_window_begin_offset`), 1, 0) | where new_region=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table region, dest, src_user, firstTime, lastTime\",\n \"known_false_positives\": \"It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Cloud Compute Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Cloud Regions\",\n \"id\": \"b5e232db-dec6-4db8-aaa1-dd5474521e40\",\n \"version\": 1,\n \"date\": \"2019-10-02\",\n \"description\": \"This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the last 30 days\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=start `previously_seen_cloud_regions_input_filter` by Compute.region | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_regions | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Started In Previously Unused Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the region is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_regions_search_window_begin_offset\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"cloud_compute_instance_started_in_previously_unused_region_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect API activity from users without MFA\",\n \"id\": \"2a9b80d3-6340-4345-w5ad-212bf5d1dac4\",\n \"version\": 1,\n \"date\": \"2018-05-17\",\n \"description\": \"This search looks for CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them.\\\\\\nThis search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\\\\n1. \\\\\\n1. **Label:** AWS User ARN, **Field:** userIdentity.arn\\\\\\n1. \\\\\\n1. **Label:** AWS User Type, **Field:** userIdentity.type\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter`\",\n \"known_false_positives\": \"Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_api_activity_from_users_without_mfa_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect AWS API Activities From Unapproved Accounts\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d82362d4bd55\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for successful CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called \\\"Create a list of approved AWS service accounts\\\": run it once every 30 days to create and validate a list of service accounts.\\\\\\nThis search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\\\\n1. \\\\\\n1. **Label:** First Time, **Field:** firstTime\\\\\\n1. \\\\\\n1. **Label:** Last Time, **Field:** lastTime\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter`\",\n \"known_false_positives\": \"It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.AC\",\n \"ID.AM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Create a list of approved AWS service accounts\",\n \"id\": \"fc0edc95-ff2b-48b1-5f6f-63ga3789fd43\",\n \"version\": 2,\n \"date\": \"2018-12-03\",\n \"description\": \"This search looks for successful API activity in CloudTrail within the last 30 days, filters out known users from the identity table, and outputs values of users into `aws_service_accounts.csv` lookup file.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the service account entires in `aws_service_accounts.csv`, which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` errorCode=success | rename userName as identity | search NOT [inputlookup identity_lookup_expanded | fields identity] | stats count by identity | table identity | outputlookup aws_service_accounts | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect AWS API Activities From Unapproved Accounts\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_api_activities_from_unapproved_accounts_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect AWS Console Login by User from New City\",\n \"id\": \"121b0b11-f8ac-4ed6-a132-3800ca4fc07a\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user City | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), \\\"@d\\\"), \\\"New City\\\",\\\"Previously Seen City\\\") | eval UserData=if(earliestseen >= relative_time(now(), \\\"@d\\\") OR isnull(earliestseen), \\\"New User\\\",\\\"Old User\\\") | where userStatus=\\\"New City\\\" AND UserData=\\\"Old User\\\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `security_content_ctime(earliestseen)` | table user City userStatus firstTime lastTime earliestseen | `detect_aws_console_login_by_user_from_new_city_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\",\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_console_login_by_user_from_new_city_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect AWS Console Login by User from New Country\",\n \"id\": \"67bd3def-c41c-4bf6-837b-ae196b4257c6\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user Country | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), \\\"@d\\\"), \\\"New Country\\\",\\\"Previously Seen Country\\\") | eval UserData=if(earliestseen >= relative_time(now(), \\\"@d\\\") OR isnull(earliestseen), \\\"New User\\\",\\\"Old User\\\") | where userStatus=\\\"New Country\\\" AND UserData=\\\"Old User\\\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`security_content_ctime(earliestseen)` | table user Country userStatus firstTime lastTime earliestseen | `detect_aws_console_login_by_user_from_new_country_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\",\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_console_login_by_user_from_new_country_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect AWS Console Login by User from New Region\",\n \"id\": \"9f31aa8e-e37c-46bc-bce1-8b3be646d026\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user Region | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), \\\"@d\\\"), \\\"New Region\\\",\\\"Previously Seen Region\\\") | eval UserData=if(earliestseen >= relative_time(now(), \\\"@d\\\") OR isnull(earliestseen), \\\"New User\\\",\\\"Old User\\\") | where userStatus=\\\"New Region\\\" AND UserData=\\\"Old User\\\" | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `security_content_ctime(earliestseen)` | table user Region userStatus firstTime lastTime earliestseen | `detect_aws_console_login_by_user_from_new_region_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\",\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_console_login_by_user_from_new_region_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect GCP Storage access from a new IP\",\n \"id\": \"ccc3246a-daa1-11ea-87d0-0242ac130022\",\n \"version\": 1,\n \"date\": \"2020-08-10\",\n \"description\": \"This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket.\",\n \"how_to_implement\": \"This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status=\\\"\\\\\\\"200\\\\\\\"\\\" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip.csv | eval newIP=if(firstTime >= relative_time(now(),\\\"-70m@m\\\"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,\\\"%m/%d/%y %H:%M:%S\\\") | eval last_time=strftime(lastTime,\\\"%m/%d/%y %H:%M:%S\\\") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`\",\n \"known_false_positives\": \"GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious GCP Storage Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"cis20\": [\n \"CIS 13\",\n \"CIS 14\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"GCP Storage Bucket\",\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_gcp_storage_access_from_a_new_ip_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect new API calls from user roles\",\n \"id\": \"22773e84-bac0-4595-b086-20d3f335b4f1\",\n \"version\": 1,\n \"date\": \"2018-04-16\",\n \"description\": \"This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously seen API call per user roles in CloudTrail\\\" support search once to create a history of previously seen user roles.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter`\",\n \"known_false_positives\": \"It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen API call per user roles in CloudTrail\",\n \"id\": \"fc0edc95-fq2c-48b0-9f6f-63da3289fd03\",\n \"version\": 1,\n \"date\": \"2018-04-16\",\n \"description\": \"This search looks for successful API calls made by different user roles, then creates a baseline of the earliest and latest times we have encountered this user role. It also returns the name of the API call in our dataset--grouped by user role and name of the API call--that occurred within the last 30 days. In this support search, we are only looking for events where the user identity is Assumed Role.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user role entries in `previously_seen_api_calls_from_user_roles.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect new API calls from user roles\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_api_calls_from_user_roles_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect New Open GCP Storage Buckets\",\n \"id\": \"f6ea3466-d6bb-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-08-05\",\n \"description\": \"This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket.\",\n \"how_to_implement\": \"This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`\",\n \"known_false_positives\": \"While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the \\\"allUsers\\\" group.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious GCP Storage Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"GCP Storage Bucket\",\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_open_gcp_storage_buckets_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect New Open S3 buckets\",\n \"id\": \"2a9b80d3-6340-4345-b5ad-290bf3d0dac4\",\n \"version\": 1,\n \"date\": \"2018-07-25\",\n \"description\": \"This search looks for CloudTrail events where a user has created an open/public S3 bucket.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), and then configure your CloudTrail inputs. The threshold value should be tuned to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` AllUsers eventName=PutBucketAcl | spath output=userIdentityArn path=userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | spath output=aclControlList path=requestParameters.AccessControlPolicy.AccessControlList | spath input=aclControlList output=grantee path=Grant{} | mvexpand grantee | spath input=grantee | search Grantee.URI=*AllUsers | rename userIdentityArn as user| table _time, src,awsRegion Permission, Grantee.URI, bucketName, user | `detect_new_open_s3_buckets_filter`\",\n \"known_false_positives\": \"While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \\\"All Users\\\" group.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"S3 Bucket\",\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_open_s3_buckets_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect new user AWS Console Login\",\n \"id\": \"ada0f478-84a8-4641-a3f3-d82362dffd75\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), \\\"First Time Logging into AWS Console\\\",\\\"Previously Seen User\\\") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus =\\\"First Time Logging into AWS Console\\\" | `detect_new_user_aws_console_login_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_user_aws_console_login_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect new user AWS Console Login - DM\",\n \"id\": \"bc91a8cd-35e7-4bb2-6140-e756cc46fd71\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >=relative_time(now(), '-70m@m'), 'First Time Logging into AWS Console','Previously Seen User')| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_new_user_aws_console_login___dm_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_user_aws_console_login___dm_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect S3 access from a new IP\",\n \"id\": \"2a9b80d3-6340-4345-b5ad-291bq3d0daq4\",\n \"version\": 1,\n \"date\": \"2018-06-28\",\n \"description\": \"This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the \\\"Previously Seen S3 Bucket Access by Remote IP\\\" support search once to create a history of previously seen remote IPs and bucket names.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip.csv | eval newIP=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`\",\n \"known_false_positives\": \"S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"cis20\": [\n \"CIS 13\",\n \"CIS 14\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"S3 Bucket\",\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen S3 bucket access by remote IP\",\n \"id\": \"fc0edc15-fq2c-48b0-9f6f-63qa1281fd03\",\n \"version\": 1,\n \"date\": \"2018-06-28\",\n \"description\": \"This search looks for successful access to S3 buckets from remote IP addresses, then creates a baseline of the earliest and latest times we have encountered this remote IP within the last 30 days. In this support search, we are only looking for S3 access events where the HTTP response code from AWS is \\\"200\\\"\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access-logs inputs. You must validate the remote IP and bucket name entries in `previously_seen_S3_access_from_remote_ip.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`aws_s3_accesslogs` http_status=200 | stats earliest(_time) as earliest latest(_time) as latest by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"detections\": [\n \"Detect S3 access from a new IP\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=aws:s3:accesslogs\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_s3_accesslogs\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_s3_access_from_a_new_ip_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in AWS API Activity\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d32362d4bd55\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\\\\\\nThis search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\\\\n1. \\\\\\n1. **Label:** Number of API Calls, **Field:** numberOfApiCalls\\\\\\n1. \\\\\\n1. **Label:** Unique API Calls, **Field:** uniqueApisCalled\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter`\",\n \"known_false_positives\": \"\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of API Calls per User ARN\",\n \"id\": \"fc0edc96-ff2b-48b0-9f6f-63da3783fd63\",\n \"version\": 1,\n \"date\": \"2018-04-09\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect Spike in AWS API Activity\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_aws_api_activity_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in AWS Security Hub Alerts for EC2 Instance\",\n \"id\": \"2a9b80d3-6340-4345-b5ad-290bf5d0d222\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`aws_securityhub_firehose` \\\"findings{}.Resources{}.Type\\\"=AWSEC2Instance | rex field=findings{}.Resources{}.Id .*instance/(?.*) | rename instance as dest | bucket span=4h _time | stats count AS alerts by _time dest | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts|`detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`\",\n \"known_false_positives\": \"None\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Security Hub Alerts\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:securityhub:firehose\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_securityhub_firehose\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in blocked Outbound Traffic from your AWS\",\n \"id\": \"ada0f278-84a8-46w1-a3f1-w32372d4bd53\",\n \"version\": 1,\n \"date\": \"2018-05-07\",\n \"description\": \"This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of \\\"spike.\\\" The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \\\"Baseline of Blocked Outbound Connection\\\" support search once to create a history of previously seen blocked outbound connections.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as \\\"Blocked Destination IPs\\\", values(interface_id) as \\\"resourceId\\\" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`\",\n \"known_false_positives\": \"The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\",\n \"Suspicious AWS Traffic\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of blocked outbound traffic from AWS\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63da3782fd63\",\n \"version\": 1,\n \"date\": \"2018-05-07\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of outbound connections blocked in your VPC flow logs by each source IP address (IP address of your EC2 instances). Also recorded is the number of data points for each source IP. This table outputs to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your `VPC flow logs.`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | bucket _time span=1h | stats count as numberOfBlockedConnections by _time, src_ip | stats count(numberOfBlockedConnections) as numDataPoints, latest(numberOfBlockedConnections) as latestCount, avg(numberOfBlockedConnections) as avgBlockedConnections, stdev(numberOfBlockedConnections) as stdevBlockedConnections by src_ip | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\",\n \"Command and Control\",\n \"Suspicious AWS Traffic\"\n ],\n \"detections\": [\n \"Detect Spike in blocked Outbound Traffic from your AWS\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudwatchlogs:vpcflow\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudwatchlogs_vpcflow\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_blocked_outbound_traffic_from_your_aws_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in Network ACL Activity\",\n \"id\": \"ada0f478-84a8-4641-a1f1-e32372d4bd53\",\n \"version\": 1,\n \"date\": \"2018-05-21\",\n \"description\": \"This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \\\"Baseline of Network ACL Activity by ARN\\\" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter`\",\n \"known_false_positives\": \"The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 12\",\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Network ACL Activity by ARN\",\n \"id\": \"fc0edd96-ff2b-4810-9f1f-63da3783fd63\",\n \"version\": 1,\n \"date\": \"2018-05-21\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls that were related to network ACLs made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for network ACLs, edit the macro `network_acl_events`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\"\n ],\n \"detections\": [\n \"Detect Spike in Network ACL Activity\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)\",\n \"description\": \"This is a list of AWS event names that are associated with Network ACLs\",\n \"name\": \"network_acl_events\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_network_acl_activity_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in S3 Bucket deletion\",\n \"id\": \"ad12w478-84a8-4641-a3w1-e32372q4bd53\",\n \"version\": 1,\n \"date\": \"2018-11-27\",\n \"description\": \"This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \\\"Baseline of S3 Bucket deletion activity by ARN\\\" support search once to create a baseline of previously seen S3 bucket-deletion activity.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`\",\n \"known_false_positives\": \"Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"S3 Bucket\",\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of S3 Bucket deletion activity by ARN\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63eq3783fd63\",\n \"version\": 1,\n \"date\": \"2018-07-17\",\n \"description\": \"This search establishes, on a per-hour basis, the average and standard deviation for the number of API calls related to deleting an S3 bucket by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"detections\": [\n \"Detect Spike in S3 Bucket deletion\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_s3_bucket_deletion_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in Security Group Activity\",\n \"id\": \"ada0f478-84a8-4641-a3f1-e32372d4bd53\",\n \"version\": 1,\n \"date\": \"2018-04-18\",\n \"description\": \"This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the \\\"Baseline of Security Group Activity by ARN\\\" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter`\",\n \"known_false_positives\": \"Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Security Group Activity by ARN\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63da3783fd63\",\n \"version\": 1,\n \"date\": \"2018-04-17\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation for the number of API calls related to security groups made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect Spike in Security Group Activity\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)\",\n \"description\": \"This macro is a list of AWS event names associated with security groups\",\n \"name\": \"security_group_api_calls\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_security_group_activity_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in AWS Security Hub Alerts for User\",\n \"id\": \"2a9b80d3-6220-4345-b5ad-290bf5d0d222\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`aws_securityhub_firehose` \\\"findings{}.Resources{}.Type\\\"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`\",\n \"known_false_positives\": \"None\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Security Hub Alerts\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:securityhub:firehose\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_securityhub_firehose\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_aws_security_hub_alerts_for_user_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Modified With Previously Unseen User\",\n \"id\": \"56f91724-cf3f-4666-84e1-e3712fb41e76\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for EC2 instances being modified by users who have not previously modified them.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen EC2 Launches By User\\\" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`\",\n \"known_false_positives\": \"It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Unusual AWS EC2 Modifications\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen EC2 Modifications By User\",\n \"id\": \"4d69091b-d975-4267-85df-888bd41034eb\",\n \"version\": 1,\n \"date\": \"2018-04-05\",\n \"description\": \"This search builds a table of previously seen ARNs that have launched a EC2 instance.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` `ec2_modification_api_calls` errorCode=success | spath output=arn userIdentity.arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Unusual AWS EC2 Modifications\"\n ],\n \"detections\": [\n \"EC2 Instance Modified With Previously Unseen User\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=GetConsoleOutput OR eventName=GetConsoleScreenshot OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)\",\n \"description\": \"This is a list of AWS event names that have to do with modifying Amazon EC2 instances\",\n \"name\": \"ec2_modification_api_calls\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_modified_with_previously_unseen_user_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Started In Previously Unseen Region\",\n \"id\": \"ada0f478-84a8-4641-a3f3-d82362d6fd75\",\n \"version\": 1,\n \"date\": \"2018-02-23\",\n \"description\": \"This search looks for CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen AWS Regions\\\" support search only once to create of baseline of previously seen regions.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),\\\"-1d@d\\\"), \\\"Instance Started in a New Region\\\",\\\"Previously Seen Region\\\") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus=\\\"Instance Started in a New Region\\\" | `ec2_instance_started_in_previously_unseen_region_filter`\",\n \"known_false_positives\": \"It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Regions\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd63\",\n \"version\": 1,\n \"date\": \"2018-01-08\",\n \"description\": \"This search looks for CloudTrail events where an AWS instance is started and creates a baseline of most recent time (latest) and the first time (earliest) we've seen this region in our dataset grouped by the value awsRegion for the last 30 days\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"EC2 Instance Started In Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_started_in_previously_unseen_region_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Started With Previously Unseen AMI\",\n \"id\": \"347ec301-601b-48b9-81aa-9ddf9c829dd3\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"This search looks for EC2 instances being created with previously unseen AMIs.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen EC2 AMIs\\\" support search once to create a history of previously seen AMIs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter`\",\n \"known_false_positives\": \"After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen EC2 AMIs\",\n \"id\": \"bb1bd99d-1e93-45f1-9571-cfed42d372b9\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"This search builds a table of previously seen AMIs used to launch EC2 instances\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId as amiID | stats earliest(_time) as firstTime latest(_time) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\"\n ],\n \"detections\": [\n \"EC2 Instance Started With Previously Unseen AMI\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_started_with_previously_unseen_ami_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Started With Previously Unseen Instance Type\",\n \"id\": \"65541c80-03c7-4e05-83c8-1dcd57a2e1ad\",\n \"version\": 2,\n \"date\": \"2020-02-07\",\n \"description\": \"This search looks for EC2 instances being created with previously unseen instance types.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen EC2 Instance Types\\\" support search once to create a history of previously seen instance types.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value=\\\"m1.small\\\" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`\",\n \"known_false_positives\": \"It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen EC2 Instance Types\",\n \"id\": \"b8f029f2-65a6-4d76-be98-dad1c9d59c45\",\n \"version\": 1,\n \"date\": \"2018-03-08\",\n \"description\": \"This search builds a table of previously seen EC2 instance types\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instanceType as instanceType | fillnull value=\\\"m1.small\\\" instanceType | stats earliest(_time) as earliest latest(_time) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\"\n ],\n \"detections\": [\n \"EC2 Instance Started With Previously Unseen Instance Type\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_started_with_previously_unseen_instance_type_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Started With Previously Unseen User\",\n \"id\": \"22773e84-bac0-4595-b086-20d3f735b4f1\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for EC2 instances being created by users who have not created them before.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen EC2 Launches By User\\\" support search once to create a history of previously seen ARNs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter`\",\n \"known_false_positives\": \"It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen EC2 Launches By User\",\n \"id\": \"6c767ac0-0906-4355-9a83-927f5ee7bdad\",\n \"version\": 1,\n \"date\": \"2018-03-15\",\n \"description\": \"This search builds a table of previously seen ARNs that have launched a EC2 instance.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | rename userIdentity.arn as arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"EC2 Instance Started With Previously Unseen User\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_started_with_previously_unseen_user_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-10-09\",\n \"description\": \"This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema.\",\n \"how_to_implement\": \"You must install splunk GCP add-on. This search works with gcp:pubsub:message logs\",\n \"id\": \"27af8c15-38b0-4408-b339-920170724adb\",\n \"known_false_positives\": \"Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization\",\n \"name\": \"GCP Detect accounts with high risk roles by project\",\n \"references\": [\n \"https://github.com/dxa4481/gcploit\",\n \"https://www.youtube.com/watch?v=Ml09R38jpok\",\n \"https://cloud.google.com/iam/docs/understanding-roles\"\n ],\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"GCP Cross Account Activity\"\n ],\n \"asset_type\": \"GCP Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_detect_accounts_with_high_risk_roles_by_project_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-10-08\",\n \"description\": \"This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts.\",\n \"how_to_implement\": \"You must install splunk GCP add-on. This search works with gcp:pubsub:message logs\",\n \"id\": \"a1c5a85e-a162-410c-a5d9-99ff639e5a52\",\n \"known_false_positives\": \"Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects\",\n \"name\": \"GCP Detect gcploit framework\",\n \"references\": [\n \"https://github.com/dxa4481/gcploit\",\n \"https://www.youtube.com/watch?v=Ml09R38jpok\"\n ],\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"GCP Cross Account Activity\"\n ],\n \"asset_type\": \"GCP Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_detect_gcploit_framework_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-10-09\",\n \"description\": \"This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.\",\n \"how_to_implement\": \"You must install splunk GCP add-on. This search works with gcp:pubsub:message logs\",\n \"id\": \"2e70ef35-2187-431f-aedc-4503dc9b06ba\",\n \"known_false_positives\": \"High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives.\",\n \"name\": \"GCP Detect high risk permissions by resource and account\",\n \"references\": [\n \"https://github.com/dxa4481/gcploit\",\n \"https://www.youtube.com/watch?v=Ml09R38jpok\",\n \"https://cloud.google.com/iam/docs/permissions-reference\"\n ],\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"GCP Cross Account Activity\"\n ],\n \"asset_type\": \"GCP Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_detect_high_risk_permissions_by_resource_and_account_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-09-01\",\n \"description\": \"This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.\",\n \"how_to_implement\": \"You must install splunk GCP add-on. This search works with gcp:pubsub:message logs\",\n \"id\": \"a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972\",\n \"known_false_positives\": \"GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs.\",\n \"name\": \"gcp detect oauth token abuse\",\n \"references\": [\n \"https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1\",\n \"https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2\"\n ],\n \"search\": \"`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"GCP Cross Account Activity\"\n ],\n \"asset_type\": \"GCP Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_detect_oauth_token_abuse_filter\"\n }\n ]\n },\n {\n \"name\": \"GCP GCR container uploaded\",\n \"id\": \"4f00ca88-e766-4605-ac65-ae51c9fd185b\",\n \"version\": 1,\n \"date\": \"2020-02-20\",\n \"description\": \"This search show information on uploaded containers including source user, account, action, bucket name event name, http user agent, message and destination path.\",\n \"how_to_implement\": \"You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a subpub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model. Please also customize the `container_implant_gcp_detection_filter` macro to filter out the false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Rico Valdez, Splunk\",\n \"search\": \"|tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Storage where Storage.event_name=storage.objects.create by Storage.src_user Storage.account Storage.action Storage.bucket_name Storage.event_name Storage.http_user_agent Storage.msg Storage.object_path | `drop_dm_object_name(\\\"Storage\\\")` | `gcp_gcr_container_uploaded_filter` \",\n \"known_false_positives\": \"Uploading container is a normal behavior from developers or users with access to container registry. GCP GCR registers container upload as a Storage event, this search must be considered under the context of CONTAINER upload creation which automatically generates a bucket entry for destination path.\",\n \"tags\": {\n \"analytics_story\": [\n \"Container Implantation Monitoring and Investigation\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"GCP GCR Container\",\n \"mitre_attack_id\": [\n \"T1525\"\n ],\n \"mitre_attack_technique\": [\n \"Implant Container Image\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_gcr_container_uploaded_filter\"\n }\n ]\n },\n {\n \"name\": \"GCP Kubernetes cluster pod scan detection\",\n \"id\": \"19b53215-4a16-405b-8087-9e6acf619842\",\n \"version\": 1,\n \"date\": \"2020-07-17\",\n \"description\": \"This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods\",\n \"how_to_implement\": \"You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Splunk\",\n \"search\": \"`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`\",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"GCP Kubernetes cluster\",\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_kubernetes_cluster_pod_scan_detection_filter\"\n }\n ]\n },\n {\n \"name\": \"GCP Kubernetes cluster scan detection\",\n \"id\": \"db5957ec-0144-4c56-b512-9dccbe7a2d26\",\n \"version\": 1,\n \"date\": \"2020-04-15\",\n \"description\": \"This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster\",\n \"how_to_implement\": \"You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Splunk\",\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 \\\"data.labels.authorization.k8s.io/decision\\\"=forbid \\\"data.protoPayload.status.message\\\"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail=\\\"system:anonymous\\\" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter` \",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context.\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"GCP Kubernetes cluster\",\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_kubernetes_cluster_scan_detection_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"5b30b25d-7d32-42d8-95ca-64dfcd9076e6\",\n \"known_false_positives\": \"Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.\",\n \"name\": \"Kubernetes AWS detect most active service accounts by pod\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_aws_detect_most_active_service_accounts_by_pod_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"de7264ed-3ed9-4fef-bb01-6eefc87cefe8\",\n \"known_false_positives\": \"Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.\",\n \"name\": \"Kubernetes AWS detect RBAC authorization by account\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_aws_detect_rbac_authorization_by_account_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets\",\n \"how_to_implement\": \"You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs.\",\n \"id\": \"7f227943-2196-4d4d-8d6a-ac8cb308e61c\",\n \"known_false_positives\": \"Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.\",\n \"name\": \"AWS EKS Kubernetes cluster sensitive object access\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_eks_kubernetes_cluster_sensitive_object_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.\",\n \"id\": \"b6013a7b-85e0-4a45-b051-10b252d69569\",\n \"known_false_positives\": \"Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. \",\n \"name\": \"Kubernetes AWS detect sensitive role access\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_aws_detect_sensitive_role_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.\",\n \"id\": \"a6959c57-fa8f-4277-bb86-7c32fba579d5\",\n \"known_false_positives\": \"This search can give false positives as there might be inherent issues with authentications and permissions at cluster.\",\n \"name\": \"Kubernetes AWS detect service accounts forbidden failure access\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.\",\n \"id\": \"042a3d32-8318-4763-9679-09db2644a8f2\",\n \"known_false_positives\": \"Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets\",\n \"name\": \"Kubernetes AWS detect suspicious kubectl calls\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 src_user=system:anonymous | table src_ip src_user verb userAgent requestURI | stats count by src_ip src_user verb userAgent requestURI |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_aws_detect_suspicious_kubectl_calls_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-26\",\n \"description\": \"This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"55a2264a-b7f0-45e5-addd-1e5ab3415c72\",\n \"known_false_positives\": \"Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.\",\n \"name\": \"Kubernetes Azure detect most active service accounts by pod namespace\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_most_active_service_accounts_by_pod_namespace_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_most_active_service_accounts_by_pod_namespace_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-26\",\n \"description\": \"This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"47af7d20-0607-4079-97d7-7a29af58b54e\",\n \"known_false_positives\": \"Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.\",\n \"name\": \"Kubernetes Azure detect RBAC authorization by account\",\n \"references\": [],\n \"search\": \"sourcetype:mscs:storage:blob:json category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_rbac_authorization_by_account_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-20\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"1bba382b-07fd-4ffa-b390-8002739b76e8\",\n \"known_false_positives\": \"Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.\",\n \"name\": \"Kubernetes Azure detect sensitive object access\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_sensitive_object_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-20\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"f27349e5-1641-4f6a-9e68-30402be0ad4c\",\n \"known_false_positives\": \"Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. \",\n \"name\": \"Kubernetes Azure detect sensitive role access\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_sensitive_role_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-20\",\n \"description\": \"This search provides information on Kubernetes service accounts with failure or forbidden access status\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"019690d7-420f-4da0-b320-f27b09961514\",\n \"known_false_positives\": \"This search can give false positives as there might be inherent issues with authentications and permissions at cluster.\",\n \"name\": \"Kubernetes Azure detect service accounts forbidden failure access\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-26\",\n \"description\": \"This search provides information on rare Kubectl calls with IP, verb namespace and object access context\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"4b6d1ba8-0000-4cec-87e6-6cbbd71651b5\",\n \"known_false_positives\": \"Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets\",\n \"name\": \"Kubernetes Azure detect suspicious kubectl calls\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI|`kubernetes_azure_detect_suspicious_kubectl_calls_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_suspicious_kubectl_calls_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-20\",\n \"description\": \"This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"86aad3e0-732f-4f66-bbbc-70df448e461d\",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.\",\n \"name\": \"Kubernetes Azure pod scan fingerprint\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_pod_scan_fingerprint_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-19\",\n \"description\": \"This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"c5e5bd5c-1013-4841-8b23-e7b3253c840a\",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.\",\n \"name\": \"Kubernetes Azure scan fingerprint\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_scan_fingerprint_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-11\",\n \"description\": \"This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences\",\n \"how_to_implement\": \"You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs\",\n \"id\": \"99487de3-7192-4b41-939d-fbe9acfb1340\",\n \"known_false_positives\": \"Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.\",\n \"name\": \"Kubernetes GCP detect RBAC authorizations by account\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"GCP GKE Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_rbac_authorizations_by_account_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-10\",\n \"description\": \"This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision\",\n \"how_to_implement\": \"You must install splunk GCP add on. This search works with pubsub messaging service logs\",\n \"id\": \"7f5c2779-88a0-4824-9caa-0f606c8f260f\",\n \"known_false_positives\": \"Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.\",\n \"name\": \"Kubernetes GCP detect most active service accounts by pod\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"GCP GKE Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-11\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets\",\n \"how_to_implement\": \"You must install splunk add on for GCP . This search works with pubsub messaging service logs.\",\n \"id\": \"bdb6d596-86a0-4aba-8369-418ae8b9963a\",\n \"known_false_positives\": \"Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.\",\n \"name\": \"Kubernetes GCP detect sensitive object access\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"GCP GKE Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_sensitive_object_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-11\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets\",\n \"how_to_implement\": \"You must install splunk add on for GCP. This search works with pubsub messaging servicelogs.\",\n \"id\": \"a46923f6-36b9-4806-a681-31f314907c30\",\n \"known_false_positives\": \"Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. \",\n \"name\": \"Kubernetes GCP detect sensitive role access\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"GCP GKE EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_sensitive_role_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI\",\n \"how_to_implement\": \"You must install splunk add on for GCP. This search works with pubsub messaging service logs.\",\n \"id\": \"7094808d-432a-48e7-bb3c-77e96c894f3b\",\n \"known_false_positives\": \"This search can give false positives as there might be inherent issues with authentications and permissions at cluster.\",\n \"name\": \"Kubernetes GCP detect service accounts forbidden failure access\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"GCP GKE Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-11\",\n \"description\": \"This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context\",\n \"how_to_implement\": \"You must install splunk add on for GCP. This search works with pubsub messaging logs.\",\n \"id\": \"a5bed417-070a-41f2-a1e4-82b6aa281557\",\n \"known_false_positives\": \"Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets\",\n \"name\": \"Kubernetes GCP detect suspicious kubectl calls\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"GCP GKE Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_suspicious_kubectl_calls_filter\"\n }\n ]\n },\n {\n \"name\": \"New container uploaded to AWS ECR\",\n \"id\": \"f0f70b40-f7ad-489d-9905-23d149da8099\",\n \"version\": 1,\n \"date\": \"2020-02-20\",\n \"description\": \"This searches show information on uploaded containers including source user, image id, source IP user type, http user agent, region, first time, last time of operation (PutImage). These searches are based on Cloud Infrastructure Data Model.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You must also install Cloud Infrastructure data model. Please also customize the `container_implant_aws_detection_filter` macro to filter out the false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Rico Valdez, Splunk\",\n \"search\": \"| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Compute where Compute.user_type!=\\\"AssumeRole\\\" AND Compute.http_user_agent=\\\"AWS Internal\\\" AND Compute.event_name=\\\"PutImage\\\" by Compute.image_id Compute.src_user Compute.src Compute.region Compute.msg Compute.user_type | `drop_dm_object_name(\\\"Compute\\\")` | `new_container_uploaded_to_aws_ecr_filter` \",\n \"known_false_positives\": \"Uploading container is a normal behavior from developers or users with access to container registry.\",\n \"tags\": {\n \"analytics_story\": [\n \"Container Implantation Monitoring and Investigation\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"AWS ECR container\",\n \"mitre_attack_id\": [\n \"T1525\"\n ],\n \"mitre_attack_technique\": [\n \"Implant Container Image\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"new_container_uploaded_to_aws_ecr_filter\"\n }\n ]\n },\n {\n \"name\": \"Access LSASS Memory for Dump Creation\",\n \"id\": \"fb4c31b0-13e8-4155-8aa5-24de4b8d6717\",\n \"version\": 2,\n \"date\": \"2019-12-06\",\n \"description\": \"Detect memory dumping of the LSASS process.\",\n \"how_to_implement\": \"This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` \",\n \"known_false_positives\": \"Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"access_lsass_memory_for_dump_creation_filter\"\n }\n ]\n },\n {\n \"name\": \"Attempt To Add Certificate To Untrusted Store\",\n \"id\": \"6bc5243e-ef36-45dc-9b12-f4a6be131159\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"Attempt to add a certificate to the untrusted certificate store\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe (Processes.process=*-addstore* AND Processes.process=*disallowed* ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`\",\n \"known_false_positives\": \"There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems.\",\n \"tags\": {\n \"analytics_story\": [\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1553.004\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Install Root Certificate\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"attempt_to_add_certificate_to_untrusted_store_filter\"\n }\n ]\n },\n {\n \"name\": \"Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass\",\n \"id\": \"c2590137-0b08-4985-9ec5-6ae23d92f63d\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"Monitor for changes of the ExecutionPolicy in the registry to the values \\\"unrestricted\\\" or \\\"bypass,\\\" which allows the execution of malicious scripts.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Registry node. You must also be ingesting logs with the fields registry_path, registry_key_name, and registry_value_name from your endpoints.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=*Software\\\\\\\\Microsoft\\\\\\\\Powershell\\\\\\\\1\\\\\\\\ShellIds\\\\\\\\Microsoft.PowerShell* Registry.registry_key_name=ExecutionPolicy (Registry.registry_value_name=Unrestricted OR Registry.registry_value_name=Bypass) by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempt_to_set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter` \",\n \"known_false_positives\": \"Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to \\\"unrestricted\\\" or \\\"bypass\\\" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\",\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"attempt_to_set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter\"\n }\n ]\n },\n {\n \"name\": \"Attempt To Stop Security Service\",\n \"id\": \"c8e349c6-b97c-486e-8949-bd7bcd1f3910\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for attempts to stop security-related services on the endpoint.\",\n \"how_to_implement\": \"You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. The search is shipped with a lookup file, `security_services.csv`, that can be edited to update the list of services to monitor. This lookup file can be edited directly where it lives in `$SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/lookups`, or via the Splunk console. You should add the names of services an attacker might use on the command line and surround with asterisks (*****), so that they work properly when searching the command line. The file should be updated with the names of any services you would like to monitor for attempts to stop the service.,\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = net.exe OR Processes.process_name = sc.exe) Processes.process=\\\"* stop *\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`\",\n \"known_false_positives\": \"None identified. Attempts to disable security-related services should be identified and understood.\",\n \"tags\": {\n \"analytics_story\": [\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1562.001\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Disable or Modify Tools\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"BRONZE BUTLER\",\n \"Rocke\",\n \"Kimsuky\",\n \"Turla\",\n \"Night Dragon\",\n \"Gorgon Group\",\n \"Lazarus Group\",\n \"Putter Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"attempt_to_stop_security_service_filter\"\n }\n ]\n },\n {\n \"name\": \"Attempted Credential Dump From Registry via Reg exe\",\n \"id\": \"e9fb4a59-c5fb-440a-9f24-191fbc6b2911\",\n \"version\": 4,\n \"date\": \"2019-12-02\",\n \"description\": \"Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=reg.exe OR Processes.process_name=cmd.exe) Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\\\\\System* OR Processes.process=*HKLM\\\\\\\\Security* OR Processes.process=*HKLM\\\\\\\\System* OR Processes.process=*HKLM\\\\\\\\SAM*) by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Security Account Manager\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Threat Group-3390\",\n \"Ke3chang\",\n \"Soft Cell\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"menuPass\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"attempted_credential_dump_from_registry_via_reg_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Attempted Credential Dump From Registry via Reg exe - SSA\",\n \"id\": \"14038953-e5f2-4daf-acff-5452062baf03\",\n \"version\": 1,\n \"date\": \"2020-6-04\",\n \"description\": \"Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.\",\n \"how_to_implement\": \"You must be ingesting windows endpoint data that tracks process activity, including parent-child relationships from your endpoints.\",\n \"type\": \"SSA\",\n \"references\": [\n \"https://github.com/splunk/security-content/blob/55a17c65f9f56c2220000b62701765422b46125d/detections/attempted_credential_dump_from_registry_via_reg_exe.yml\"\n ],\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \" | from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)) | eval process_name=lower(ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null)), cmd_line=ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null), dest_user_id=ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), dest_device_id=ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null) | where process_name=\\\"cmd.exe\\\" OR process_name=\\\"reg.exe\\\" | where cmd_line != null AND match_regex(cmd_line, /(?i)save\\\\s+/)=true AND ( match_regex(cmd_line, /(?i)HKLM\\\\\\\\Security/)=true OR match_regex(cmd_line, /(?i)HKLM\\\\\\\\SAM/)=true OR match_regex(cmd_line, /(?i)HKLM\\\\\\\\System/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\\\\\\\Security/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\\\\\\\SAM/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\\\\\\\System/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body = \\\"TBD\\\" | into write_ssa_detected_events(); \",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"risk_severity\": \"low\",\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"OS Credential Dumping\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Frankenstein\",\n \"APT32\",\n \"APT28\",\n \"Leviathan\",\n \"Sowbug\",\n \"Suckfly\",\n \"Poseidon Group\",\n \"Axiom\"\n ]\n }\n },\n {\n \"name\": \"Batch File Write to System32\",\n \"id\": \"503d17cb-9eab-4cf8-a20e-01d5c6987ae3\",\n \"version\": 1,\n \"date\": \"2018-12-14\",\n \"description\": \"The search looks for a batch file (.bat) written to the Windows system directory tree.\",\n \"how_to_implement\": \"You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \\\"(?\\\\.[^\\\\.]+)$\\\" | search file_path=*system32* AND file_extension=.bat | `batch_file_write_to_system32_filter`\",\n \"known_false_positives\": \"It is possible for this search to generate a notable event for a batch file write to a path that includes the string \\\"system32\\\", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"batch_file_write_to_system32_filter\"\n }\n ]\n },\n {\n \"name\": \"Child Processes of Spoolsv exe\",\n \"id\": \"aa0c4aeb-5b18-41c4-8c07-f1442d7599df\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. Update the `children_of_spoolsv_filter` macro to filter out legitimate child processes spawned by spoolsv.exe.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter` \",\n \"known_false_positives\": \"Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Privilege Escalation\"\n ],\n \"mitre_attack_id\": [\n \"T1068\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.AC\",\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exploitation for Privilege Escalation\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Whitefly\",\n \"APT33\",\n \"Cobalt Group\",\n \"PLATINUM\",\n \"FIN8\",\n \"APT32\",\n \"Threat Group-3390\",\n \"FIN6\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"child_processes_of_spoolsv_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Common Ransomware Extensions\",\n \"id\": \"a9e5c5db-db11-43ca-86a8-c852d1b2c0ec\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"The search looks for file modifications with extensions commonly used by Ransomware\",\n \"how_to_implement\": \"You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\\\\\\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** Name, **Field:** Name\\\\\\n1. \\\\\\n1. **Label:** File Extension, **Field:** file_extension\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \\\"(?\\\\.[^\\\\.]+)$\\\" | `ransomware_extensions` | `common_ransomware_extensions_filter`\",\n \"known_false_positives\": \"It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False\",\n \"description\": \"This macro limits the output to files that have extensions associated with ransomware\",\n \"name\": \"ransomware_extensions\"\n },\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"common_ransomware_extensions_filter\"\n }\n ]\n },\n {\n \"name\": \"Common Ransomware Notes\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d82362d6bd71\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.\",\n \"how_to_implement\": \"You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`\",\n \"known_false_positives\": \"It's possible that a legitimate file could be created with the same name used by ransomware note files.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \\\"Known Ransomware Notes\\\" | search \\\"Known Ransomware Notes\\\"=True\",\n \"description\": \"This macro limits the output to files that have been identified as a ransomware note\",\n \"name\": \"ransomware_notes\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"common_ransomware_notes_filter\"\n }\n ]\n },\n {\n \"name\": \"Create local admin accounts using net exe\",\n \"id\": \"b89919ed-fe5f-492c-b139-151bb162040e\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the creation of local administrator accounts using net.exe.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND (Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`create_local_admin_accounts_using_net_exe_filter` \",\n \"known_false_positives\": \"Administrators often leverage net.exe to create admin accounts.\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1136.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Local Account\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"APT41\",\n \"Dragonfly 2.0\",\n \"Leafminer\",\n \"APT3\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"create_local_admin_accounts_using_net_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Create or delete windows shares using net exe\",\n \"id\": \"qw9919ed-fe5f-492c-b139-151bb162140e\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the creation or deletion of hidden shares using net.exe.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/techniques/T1077/\",\n \"https://attack.mitre.org/techniques/T1126/\"\n ],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processs.process_name=net.exe OR Processes.process_name=net1.exe) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` \",\n \"known_false_positives\": \"Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"create_or_delete_windows_shares_using_net_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Create Remote Thread into LSASS\",\n \"id\": \"67d4dbef-9564-4699-8da8-03a151529edc\",\n \"version\": 1,\n \"date\": \"2019-12-06\",\n \"description\": \"Detect remote thread creation into LSASS consistent with credential dumping.\",\n \"how_to_implement\": \"This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`\",\n \"known_false_positives\": \"Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"create_remote_thread_into_lsass_filter\"\n }\n ]\n },\n {\n \"name\": \"Creation of Shadow Copy\",\n \"id\": \"eb120f5f-b879-4a63-97c1-93352b5df844\",\n \"version\": 1,\n \"date\": \"2019-12-10\",\n \"description\": \"Monitor for signs that Ntdsutil, Vssadmin, or Wmic has been used to create a shadow copy.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) OR (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`\",\n \"known_false_positives\": \"Legtimate administrator usage of Ntdsutil, Vssadmin, or Wmic will create false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"NTDS\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"FIN6\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"creation_of_shadow_copy_filter\"\n }\n ]\n },\n {\n \"name\": \"Creation of Shadow Copy with wmic and powershell\",\n \"id\": \"2ed8b538-d284-449a-be1d-82ad1dbd186b\",\n \"version\": 1,\n \"date\": \"2019-12-10\",\n \"description\": \"This search detects the use of wmic and Powershell to create a shadow copy.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic* OR Processes.process_name=powershell* Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`\",\n \"known_false_positives\": \"Legtimate administrator usage of wmic to create a shadow copy.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"NTDS\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"FIN6\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"creation_of_shadow_copy_with_wmic_and_powershell_filter\"\n }\n ]\n },\n {\n \"name\": \"Credential Dumping via Copy Command from Shadow Copy\",\n \"id\": \"d8c406fe-23d2-45f3-a983-1abe7b83ff3b\",\n \"version\": 1,\n \"date\": \"2019-12-10\",\n \"description\": \"This search detects credential dumping using copy command from a shadow copy.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process=*\\\\\\\\system32\\\\\\\\config\\\\\\\\sam* OR Processes.process=*\\\\\\\\system32\\\\\\\\config\\\\\\\\security* OR Processes.process=*\\\\\\\\system32\\\\\\\\config\\\\\\\\system* OR Processes.process=*\\\\\\\\windows\\\\\\\\ntds\\\\\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` \",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"NTDS\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"FIN6\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"credential_dumping_via_copy_command_from_shadow_copy_filter\"\n }\n ]\n },\n {\n \"name\": \"Credential Dumping via Symlink to Shadow Copy\",\n \"id\": \"c5eac648-fae0-4263-91a6-773df1f4c903\",\n \"version\": 1,\n \"date\": \"2019-12-10\",\n \"description\": \"This search detects the creation of a symlink to a shadow copy.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter` \",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"NTDS\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"FIN6\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"credential_dumping_via_symlink_to_shadow_copy_filter\"\n }\n ]\n },\n {\n \"name\": \"Credential Extraction indicative of FGDump and CacheDump with s option\",\n \"id\": \"312582f2-5e91-42c1-a275-cd67f31373c8\",\n \"version\": 1,\n \"date\": \"2020-10-18\",\n \"description\": \"Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. FGdump is a newer version of pwdump tool that extracts NTLM and LanMan password hashes from Windows. Cachedump is a publicly-available tool that extracts cached password hashes from a system's registry.\",\n \"how_to_implement\": \"You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.\",\n \"references\": [],\n \"type\": \"SSA\",\n \"author\": \"Stanislav Miskovic, Splunk\",\n \"search\": \" | from read_ssa_enriched_events()\\n| eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)), cmd_line=ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null), process_name=ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null), process_path=ucast(map_get(input_event, \\\"process_path\\\"), \\\"string\\\", null), parent_process_name=ucast(map_get(input_event, \\\"parent_process_name\\\"), \\\"string\\\", null) | where cmd_line != null AND process_name != null AND parent_process_name != null AND match_regex(parent_process_name, /(?i)System32\\\\\\\\services.exe/)=true AND match_regex(process_name, /(?i)cachedump\\\\d{0,2}.exe/)=true AND match_regex(process_path, /(?i)\\\\\\\\Temp/)=true AND match_regex(cmd_line, /(?i)\\\\-s/)=true\\n| eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null)), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"eli5\": \"This detection identifies one of the inevitable stages of FGdump in which CacheDump is called. Note, CacheDump activity may also be embedded in other exploit tools. For more details on FGdump stages see https://github.com/interference-security/kali-windows-binaries/tree/master/fgdump\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"cis20\": [\n \"CIS 16\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_technique_id\": [\n \"T1003\"\n ],\n \"nist\": [\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"risk_severity\": \"high\",\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"Credential Extraction indicative of FGDump and CacheDump with v option\",\n \"id\": \"3c40b0ef-a03f-460a-9484-e4b9117cbb38\",\n \"version\": 1,\n \"date\": \"2020-10-18\",\n \"description\": \"Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. FGdump is a newer version of pwdump tool that extracts NTLM and LanMan password hashes from Windows. Cachedump is a publicly-available tool that extracts cached password hashes from a system's registry.\",\n \"how_to_implement\": \"You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.\",\n \"references\": [],\n \"type\": \"SSA\",\n \"author\": \"Stanislav Miskovic, Splunk\",\n \"search\": \" | from read_ssa_enriched_events()\\n| eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)), cmd_line=ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null), process_name=ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null), process_path=ucast(map_get(input_event, \\\"process_path\\\"), \\\"string\\\", null) | where cmd_line != null AND process_name != null AND process_path != null AND match_regex(process_name, /(?i)cachedump\\\\d{0,2}.exe/)=true AND match_regex(process_path, /(?i)\\\\\\\\Temp/)=true AND match_regex(cmd_line, /(?i)\\\\-v/)=true\\n| eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null)), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"eli5\": \"This detection identifies one of the stages of FGdump in which CacheDump is called. Note, CacheDump activity may also be embedded in other exploit tools. For more details on FGdump stages see https://github.com/interference-security/kali-windows-binaries/tree/master/fgdump\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"cis20\": [\n \"CIS 16\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_technique_id\": [\n \"T1003\"\n ],\n \"nist\": [\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"risk_severity\": \"high\",\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals\",\n \"id\": \"e4f126b5-e6bc-4a5c-b1a8-d07bc6c4a49f\",\n \"version\": 1,\n \"date\": \"2020-10-18\",\n \"description\": \"Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. PowerSploit and DSInternals are common exploit APIs offering PowerShell modules for various exploits of Windows and Active Directory environments.\",\n \"how_to_implement\": \"You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.\",\n \"references\": [],\n \"type\": \"SSA\",\n \"author\": \"Stanislav Miskovic, Splunk\",\n \"search\": \" | from read_ssa_enriched_events()\\n| eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)), cmd_line=ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null) | where cmd_line != null AND match_regex(cmd_line, /(?i)Get-ADDBAccount/)=true AND match_regex(cmd_line, /(?i)\\\\-dbpath[\\\\s;:\\\\.\\\\|]+/)=true\\n| eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null)), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"eli5\": \"This detection identifies triggering of the PowerSploit or DSInternals for extraction of all accounts from a previously dumped ntds.dit credential store.\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"cis20\": [\n \"CIS 16\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_technique_id\": [\n \"T1003\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.AC\"\n ],\n \"risk_severity\": \"high\",\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"Credential Extraction indicative of Lazagne command line options\",\n \"id\": \"341975fa-4ad0-4f01-9acc-df4f69742db7\",\n \"version\": 1,\n \"date\": \"2020-10-18\",\n \"description\": \"Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. LaZagne is a tool that extracts various kinds of credentials from a local computer, including account passwords, domain passwords, browser passwords, etc.\",\n \"how_to_implement\": \"You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.\",\n \"references\": [],\n \"type\": \"SSA\",\n \"author\": \"Stanislav Miskovic, Splunk\",\n \"search\": \" | from read_ssa_enriched_events()\\n| eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)), cmd_line=ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null) | where cmd_line != null AND match_regex(cmd_line, /(?i)all\\\\s+\\\\-oA\\\\s+\\\\-output/)=true\\n| eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null)), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"eli5\": \"This detection identifies the most common LaZagne invocation, in which it is instructed to extract all available passwords and output them to a file. For more details on LaZagne see https://github.com/AlessandroZ/LaZagne\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"cis20\": [\n \"CIS 16\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_technique_id\": [\n \"T1003\",\n \"T1555\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.AC\"\n ],\n \"risk_severity\": \"high\",\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"Credential Extraction native Microsoft debuggers peek into the kernel\",\n \"id\": \"c20bb8ec-e1b0-4640-b0ef-3a4c54f8c112\",\n \"version\": 1,\n \"date\": \"2020-10-18\",\n \"description\": \"Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. Native Microsoft debuggers, such as kd, ntkd, livekd and windbg, can be leveraged to read credential material directly from memory and process dumps.\",\n \"how_to_implement\": \"You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.\",\n \"references\": [\n \"https://medium.com/@clermont1050/covid-19-cyber-infection-c615ead7c29\"\n ],\n \"type\": \"SSA\",\n \"author\": \"Stanislav Miskovic, Splunk\",\n \"search\": \" | from read_ssa_enriched_events()\\n| eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)), cmd_line=ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null), process_name=ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null), parent_process_name=ucast(map_get(input_event, \\\"parent_process_name\\\"), \\\"string\\\", null) | where cmd_line != null AND parent_process_name != null AND process_name != null AND ( match_regex(parent_process_name, /(?i)ntkd\\\\.exe/)=true OR match_regex(parent_process_name, /(?i)livekd\\\\.exe/)=true ) AND match_regex(process_name, /(?i)conhost\\\\.exe/)=true AND match_regex(cmd_line, /(?i)0xffffffff/)=true AND match_regex(cmd_line, /(?i)\\\\-ForceV1/)=true\\n| eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null)), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"eli5\": \"This detection spots when native Microsoft debuggers ask for something inside the kernel (via ForceV1) while retrieving credentials.\",\n \"known_false_positives\": \"Although unlikely, using debuggers this way may be indicative of developers analyzing crash dumps of their code. Note, even for developers this is an unusual way of working on code - debuggers are mostly used to step through code, not analyze its crash dumps.\",\n \"tags\": {\n \"cis20\": [\n \"CIS 16\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_technique_id\": [\n \"T1003\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.AC\"\n ],\n \"risk_severity\": \"medium\",\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"Credential Extraction native Microsoft debuggers via z command line option\",\n \"id\": \"adc51a77-90c9-4358-b43c-f10dd1a27d05\",\n \"version\": 1,\n \"date\": \"2020-10-18\",\n \"description\": \"Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. Native Microsoft debuggers, such as kd, ntkd, livekd and windbg, can be leveraged to read credential material directly from memory and process dumps.\",\n \"how_to_implement\": \"You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.\",\n \"references\": [],\n \"type\": \"SSA\",\n \"author\": \"Stanislav Miskovic, Splunk\",\n \"search\": \" | from read_ssa_enriched_events()\\n| eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)), cmd_line=ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null), process_name=ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null) | where cmd_line != null AND process_name != null AND ( match_regex(process_name, /^(?i)ntkd\\\\.exe/)=true OR match_regex(process_name, /^(?i)kd\\\\.exe/)=true ) AND match_regex(cmd_line, /(?i)\\\\-z\\\\s+/)=true\\n| eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null)), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"eli5\": \"This detects use of -z command line option which specifies location of the credentials dump file to native Microsoft debuggers.\",\n \"known_false_positives\": \"Although unlikely, using debuggers this way may be indicative of developers analyzing crash dumps of their code. Note, even for developers this is an unusual way of working on code - debuggers are mostly used to step through code, not analyze its crash dumps.\",\n \"tags\": {\n \"cis20\": [\n \"CIS 16\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_technique_id\": [\n \"T1003\"\n ],\n \"nist\": [\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"risk_severity\": \"medium\",\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"Deleting Shadow Copies\",\n \"id\": \"b89919ed-ee5f-492c-b139-95dbb162039e\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*delete* AND process=*shadow* | `deleting_shadow_copies_filter`\",\n \"known_false_positives\": \"vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1485\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 10\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Data Destruction\"\n ],\n \"mitre_attack_tactics\": [\n \"Impact\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Lazarus Group\",\n \"APT38\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"deleting_shadow_copies_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Activity Related to Pass the Hash Attacks\",\n \"id\": \"f5939373-8054-40ad-8c64-cec478a22a4b\",\n \"version\": 5,\n \"date\": \"2020-10-15\",\n \"description\": \"This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique.\",\n \"how_to_implement\": \"To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Patrick Bareiss, Splunk\",\n \"search\": \"`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp WorkstationName=WORKSTATION NOT AccountName=\\\"ANONYMOUS LOGON\\\") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter` \",\n \"known_false_positives\": \"Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1550.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Endpoint\",\n \"automated_detection_testing\": \"passed\",\n \"dataset\": [\n \"https://attack-range-attack-data.s3-us-west-2.amazonaws.com/T1550.002/windows-security.log\"\n ],\n \"mitre_attack_technique\": [\n \"Pass the Hash\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Soft Cell\",\n \"APT32\",\n \"Night Dragon\",\n \"APT28\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_activity_related_to_pass_the_hash_attacks_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Computer Changed with Anonymous Account\",\n \"id\": \"1400624a-d42d-484d-8843-e6753e6e3645\",\n \"version\": 1,\n \"date\": \"2020-09-18\",\n \"description\": \"This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account.\",\n \"how_to_implement\": \"This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/\"\n ],\n \"author\": \"Rod Soto, Jose Hernandez, Splunk\",\n \"search\": \"`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName=\\\"ANONYMOUS LOGON\\\" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`\",\n \"known_false_positives\": \"None thus far found\",\n \"tags\": {\n \"analytics_story\": [\n \"Detect Zerologon Attack\"\n ],\n \"mitre_attack_id\": [\n \"T1210\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Exploitation of Remote Services\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Threat Group-3390\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_computer_changed_with_anonymous_account_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Credential Dumping through LSASS access\",\n \"id\": \"2c365e57-4414-4540-8dc0-73ab10729996\",\n \"version\": 3,\n \"date\": \"2019-12-03\",\n \"description\": \"This search looks for reading lsass memory consistent with credential dumping.\",\n \"how_to_implement\": \"This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter` \",\n \"known_false_positives\": \"The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\",\n \"Detect Zerologon Attack\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_credential_dumping_through_lsass_access_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Dump LSASS Memory using comsvcs - SSA\",\n \"id\": \"76bb9e35-f314-4c3d-a385-83c72a13ce4e\",\n \"version\": 1,\n \"date\": \"2020-09-15\",\n \"description\": \"This search detects the memory of lsass.exe being dumped for offline credential theft attack.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including Windows command line logging. You can see how we test this with [Event Code 4688](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688a) on the [attack_range](https://github.com/splunk/attack_range/blob/develop/ansible/roles/windows_common/tasks/windows-enable-4688-cmd-line-audit.yml).\",\n \"type\": \"SSA\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| from read_ssa_enriched_events() | select from_json_object(value) as input_event | eval tenant=ucast(map_get(input_event, \\\"_tenant\\\"), \\\"string\\\", null), machine=ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null), process_name=lower(ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null)), timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)), process=lower(ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null)) | where process_name LIKE \\\"%rundll32.exe%\\\" AND match_regex(process, /(?i)comsvcs.dll[,\\\\s]+MiniDump/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend(machine), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"risk_severity\": \"low\",\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"NTDS\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"FIN6\",\n \"Dragonfly 2.0\"\n ]\n }\n },\n {\n \"name\": \"Detect Excessive Account Lockouts From Endpoint\",\n \"id\": \"c026e3dd-7e18-4abb-8f41-929e836efe74\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search identifies endpoints that have caused a relatively high number of account lockouts in a short period.\",\n \"how_to_implement\": \"You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. \\\\\\n **Splunk>Phantom Playbook Integration**\\\\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called \\\"Excessive Account Lockouts Enrichment and Response\\\" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\\\\n(Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`).\\\\\\n\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result=\\\"lockout\\\" by All_Changes.dest All_Changes.result |`drop_dm_object_name(\\\"All_Changes\\\")` |`drop_dm_object_name(\\\"Account_Management\\\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`\",\n \"known_false_positives\": \"It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.\",\n \"tags\": {\n \"analytics_story\": [\n \"Account Monitoring and Controls\"\n ],\n \"mitre_attack_id\": [\n \"T1078.003\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Local Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Tropic Trooper\",\n \"FIN10\",\n \"Stolen Pencil\",\n \"APT32\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_excessive_account_lockouts_from_endpoint_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Excessive User Account Lockouts\",\n \"id\": \"95a7f9a5-6096-437e-a19e-86f42ac609bd\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search detects user accounts that have been locked out a relatively high number of times in a short period.\",\n \"how_to_implement\": \"ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result=\\\"lockout\\\" by All_Changes.user All_Changes.result |`drop_dm_object_name(\\\"All_Changes\\\")` |`drop_dm_object_name(\\\"Account_Management\\\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`\",\n \"known_false_positives\": \"It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.\",\n \"tags\": {\n \"analytics_story\": [\n \"Account Monitoring and Controls\"\n ],\n \"mitre_attack_id\": [\n \"T1078.003\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Local Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Tropic Trooper\",\n \"FIN10\",\n \"Stolen Pencil\",\n \"APT32\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_excessive_user_account_lockouts_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Mimikatz Using Loaded Images\",\n \"id\": \"29e307ba-40af-4ab2-91b2-3c6b392bbba0\",\n \"version\": 1,\n \"date\": \"2019-12-03\",\n \"description\": \"This search looks for reading loaded Images unique to credential dumping with Mimikatz.\",\n \"how_to_implement\": \"This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by Computer, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`\",\n \"known_false_positives\": \"Other tools can import the same DLLs. These tools should be part of a whtelist.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\",\n \"Detect Zerologon Attack\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_mimikatz_using_loaded_images_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Mimikatz Via PowerShell And EventCode 4703\",\n \"id\": \"98917be2-bfc8-475a-8618-a9bb06575188\",\n \"version\": 2,\n \"date\": \"2019-02-27\",\n \"description\": \"This search looks for PowerShell requesting privileges consistent with credential dumping.\",\n \"how_to_implement\": \"You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is \\\"Administrators\\\" to be able to look for the right group membership changes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message \\\"Enabled Privileges:\\\\s+(?\\\\w+)\\\\s+Disabled Privileges:\\\" | where privs=\\\"SeDebugPrivilege\\\" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as \\\"Enabled Privilege\\\" | rename Process_Name as process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_via_powershell_and_eventcode_4703_filter`\",\n \"known_false_positives\": \"The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.\",\n \"tags\": {\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_mimikatz_via_powershell_and_eventcode_4703_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect mshta exe running scripts in command-line arguments\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dqb161039e\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the execution of \\\"mshta.exe\\\" with command-line arguments that launch a script. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \\\"mshta.exe\\\" and its parent process.\",\n \"how_to_implement\": \"To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mshta.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*vbscript* OR process=*javascript*) | `detect_mshta_exe_running_scripts_in_command_line_arguments_filter`\",\n \"known_false_positives\": \"Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious MSHTA Activity\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_mshta_exe_running_scripts_in_command_line_arguments_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect New Local Admin account\",\n \"id\": \"b25f6f62-0712-43c1-b203-083231ffd97d\",\n \"version\": 2,\n \"date\": \"2020-07-08\",\n \"description\": \"This search looks for newly created accounts that have been elevated to local administrators.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_security` EventID=4720 OR (EventID=4732 Group_Name=Administrators) | transaction MemberSid connected=false maxspan=180m | rename MemberSid as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`\",\n \"known_false_positives\": \"The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not \\\"Administrators\\\", this search may generate an excessive number of false positives\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1136.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Local Account\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"APT41\",\n \"Dragonfly 2.0\",\n \"Leafminer\",\n \"APT3\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_local_admin_account_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Oulook exe writing a zip file\",\n \"id\": \"a51bfe1a-94f0-4822-b1e4-16ae10145893\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk.\",\n \"how_to_implement\": \"You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe OR Processes.process_name=explorer.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\\\\\\\Users* OR Filesystem.file_path=*Local\\\\\\\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != \\\"\\\" | `detect_oulook_exe_writing_a__zip_file_filter` \",\n \"known_false_positives\": \"It is not uncommon for outlook to write legitimate zip files to the disk.\",\n \"tags\": {\n \"analytics_story\": [\n \"Phishing Payloads\"\n ],\n \"mitre_attack_id\": [\n \"T1566.001\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Spearphishing Attachment\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"Windshift\",\n \"APT33\",\n \"Sandworm Team\",\n \"Naikon\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Mofang\",\n \"Wizard Spider\",\n \"RTM\",\n \"Frankenstein\",\n \"Inception\",\n \"BlackTech\",\n \"APT-C-36\",\n \"APT41\",\n \"Machete\",\n \"admin@338\",\n \"Kimsuky\",\n \"APT12\",\n \"TA505\",\n \"Silence\",\n \"The White Company\",\n \"APT39\",\n \"FIN4\",\n \"Darkhotel\",\n \"Gallmaker\",\n \"Tropic Trooper\",\n \"Turla\",\n \"Gorgon Group\",\n \"Rancor\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"FIN7\",\n \"OilRig\",\n \"Lazarus Group\",\n \"APT19\",\n \"Dragonfly 2.0\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"FIN8\",\n \"MuddyWater\",\n \"APT28\",\n \"TA459\",\n \"Leviathan\",\n \"Patchwork\",\n \"PLATINUM\",\n \"Elderwood\",\n \"APT29\",\n \"APT37\",\n \"menuPass\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_oulook_exe_writing_a__zip_file_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Path Interception By Creation Of program exe\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6v5264g9f\",\n \"version\": 3,\n \"date\": \"2020-07-03\",\n \"description\": \"The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation. \",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process \\\"^.*\\\\\\\\\\\\\\\\(?.*\\\\.(?:exe|bat|com|ps1))\\\" | eval process_name = lower(process_name) | eval service_process = lower(service_process)| where process_name != service_process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`\",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1574.009\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Path Interception by Unquoted Path\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\",\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_path_interception_by_creation_of_program_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect processes used for System Network Configuration Discovery\",\n \"id\": \"a51bfe1a-94f0-48cc-b1e4-16ae10145893\",\n \"version\": 1,\n \"date\": \"2018-11-20\",\n \"description\": \"This search looks for fast execution of processes used for system network configuration discovery on the endpoint.\",\n \"how_to_implement\": \"You must be ingesting data that records registry activity from your hosts to populate the Endpoint data model in the processes node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report reads and writes to the registry or that are populated via Windows event logs, after enabling process tracking in your Windows audit settings.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`\",\n \"known_false_positives\": \"It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"Unusual Processes\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"(process_name= \\\"arp.exe\\\" OR process_name= \\\"at.exe\\\" OR process_name= \\\"attrib.exe\\\" OR process_name= \\\"cscript.exe\\\" OR process_name= \\\"dsquery.exe\\\" OR process_name= \\\"hostname.exe\\\" OR process_name= \\\"ipconfig.exe\\\" OR process_name= \\\"mimikatz.exe\\\" OR process_name= \\\"nbstat.exe\\\" OR process_name= \\\"net.exe\\\" OR process_name= \\\"netsh.exe\\\" OR process_name= \\\"nslookup.exe\\\" OR process_name= \\\"ping.exe\\\" OR process_name= \\\"quser.exe\\\" OR process_name= \\\"qwinsta.exe\\\" OR process_name= \\\"reg.exe\\\" OR process_name= \\\"runas.exe\\\" OR process_name= \\\"sc.exe\\\" OR process_name= \\\"schtasks.exe\\\" OR process_name= \\\"ssh.exe\\\" OR process_name= \\\"systeminfo.exe\\\" OR process_name= \\\"taskkill.exe\\\" OR process_name= \\\"telnet.exe\\\" OR process_name= \\\"tracert.exe\\\" OR process_name=\\\"wscript.exe\\\" OR process_name= \\\"xcopy.exe\\\")\",\n \"description\": \"This macro is a list of process that can be used to discover the network configuration\",\n \"name\": \"system_network_configuration_discovery_tools\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_processes_used_for_system_network_configuration_discovery_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Prohibited Applications Spawning cmd exe\",\n \"id\": \"dcfd6b40-42f9-469d-a433-2e53f7486664\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts and populates the Endpoint data model with the resultant dataset. This search includes a lookup file, `prohibited_apps_launching_cmd.csv`, that contains a list of processes that should not be spawning cmd.exe. You can modify this lookup to better suit your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.parent_process_name Processes.process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] | `detect_prohibited_applications_spawning_cmd_exe_filter`\",\n \"known_false_positives\": \"There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\",\n \"Suspicious Zoom Child Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\\\"*\\\" . parent_process_name | table parent_process_name\",\n \"description\": \"This macro outputs a list of process that should not be the parent process of cmd.exe\",\n \"name\": \"prohibited_apps_launching_cmd\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_prohibited_applications_spawning_cmd_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect PsExec With accepteula Flag\",\n \"id\": \"b89919ed-fe5f-492c-b139-151xb162040e\",\n \"version\": 2,\n \"date\": \"2019-02-26\",\n \"description\": \"This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = PsExec.exe Processes.process = \\\"*accepteula*\\\" by Processes.process_name Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`\",\n \"known_false_positives\": \"Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\",\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\",\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\",\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_psexec_with_accepteula_flag_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Rare Executables\",\n \"id\": \"44fddcb2-8d3b-454c-874e-7c6de5a4f7ac\",\n \"version\": 5,\n \"date\": \"2020-03-16\",\n \"description\": \"This search will return a table of rare processes, the names of the systems running them, and the users who initiated each process.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts and populating the endpoint data model with the resultant dataset. The macro `filter_rare_process_whitelist` searches two lookup files to whitelist your processes. These consist of `rare_process_whitelist_default.csv` and `rare_process_whitelist_local.csv`. To add your own processes to the whitelist, add them to `rare_process_whitelist_local.csv`. If you wish to remove an entry from the default lookup file, you will have to modify the macro itself to set the whitelist value for that process to false. You can modify the limit parameter and search scheduling to better suit your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | rename Processes.process_name as process | rex field=user \\\"(?.*)\\\\\\\\\\\\\\\\(?.*)\\\" | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search [| tstats count from datamodel=Endpoint.Processes by Processes.process_name | rare Processes.process_name limit=30 | rename Processes.process_name as process| `filter_rare_process_whitelist`| table process ] | `detect_rare_executables_filter` \",\n \"known_false_positives\": \"Some legitimate processes may be only rarely executed in your environment. As these are identified, update `rare_process_whitelist_local.csv` to filter them out of your search results.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Unusual Processes\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.PT\",\n \"PR.DS\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup update=true lookup_rare_process_whitelist_default process as process OUTPUTNEW whitelist | where whitelist=\\\"false\\\" | lookup update=true lookup_rare_process_whitelist_local process as process OUTPUT whitelist | where whitelist=\\\"false\\\"\",\n \"description\": \"This macro is intended to whitelist processes that have been definied as rare\",\n \"name\": \"filter_rare_process_whitelist\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_rare_executables_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect USB device insertion\",\n \"id\": \"104658f4-afdc-499f-9719-17a43f9826f5\",\n \"version\": 1,\n \"date\": \"2017-11-27\",\n \"description\": \"The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework.\",\n \"how_to_implement\": \"To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result=\\\"Removable Storage device\\\" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name(\\\"All_Changes\\\")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_usb_device_insertion_filter`\",\n \"known_false_positives\": \"Legitimate USB activity will also be detected. Please verify and investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_usb_device_insertion_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Use of cmd exe to Launch Script Interpreters\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dbb162039e\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\\\"cmd.exe\\\" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`\",\n \"known_false_positives\": \"Some legitimate applications may exhibit this behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Suspicious Command-Line Executions\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_use_of_cmd_exe_to_launch_script_interpreters_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Windows DNS SIGRed via Splunk Stream\",\n \"id\": \"babd8d10-d073-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-07-28\",\n \"description\": \"This search detects SIGRed via Splunk Stream.\",\n \"how_to_implement\": \"You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\"\n ],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"`stream_dns` | spath \\\"query_type{}\\\" | search \\\"query_type{}\\\" IN (SIG,KEY) | spath protocol_stack | search protocol_stack=\\\"ip:tcp:dns\\\" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count\",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows DNS SIGRed CVE-2020-1350\"\n ],\n \"mitre_attack_id\": [\n \"T1203\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exploitation for Client Execution\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"MuddyWater\",\n \"Frankenstein\",\n \"Inception\",\n \"BlackTech\",\n \"APT41\",\n \"admin@338\",\n \"Threat Group-3390\",\n \"APT12\",\n \"The White Company\",\n \"APT33\",\n \"APT32\",\n \"APT28\",\n \"Tropic Trooper\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"Cobalt Group\",\n \"APT37\",\n \"Patchwork\",\n \"Leviathan\",\n \"Elderwood\",\n \"TA459\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:tcp\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_tcp\"\n },\n {\n \"definition\": \"sourcetype=stream:dns\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_dns\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_windows_dns_sigred_via_splunk_stream_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Windows DNS SIGRed via Zeek\",\n \"id\": \"c5c622e4-d073-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-07-28\",\n \"description\": \"This search detects SIGRed via Zeek DNS and Zeek Conn data.\",\n \"how_to_implement\": \"You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\"\n ],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count \",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows DNS SIGRed CVE-2020-1350\"\n ],\n \"mitre_attack_id\": [\n \"T1203\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exploitation for Client Execution\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"MuddyWater\",\n \"Frankenstein\",\n \"Inception\",\n \"BlackTech\",\n \"APT41\",\n \"admin@338\",\n \"Threat Group-3390\",\n \"APT12\",\n \"The White Company\",\n \"APT33\",\n \"APT32\",\n \"APT28\",\n \"Tropic Trooper\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"Cobalt Group\",\n \"APT37\",\n \"Patchwork\",\n \"Leviathan\",\n \"Elderwood\",\n \"TA459\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_windows_dns_sigred_via_zeek_filter\"\n }\n ]\n },\n {\n \"name\": \"Detection of tools built by NirSoft\",\n \"id\": \"1297fb80-f42a-4q4a-9c8b-78c061417cf6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\\\"* /stext *\\\" OR Processes.process=\\\"* /scomma *\\\" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`\",\n \"known_false_positives\": \"While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \"\n ],\n \"mitre_attack_id\": [\n \"T1072\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Software Deployment Tools\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Silence\",\n \"APT32\",\n \"Threat Group-1314\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detection_of_tools_built_by_nirsoft_filter\"\n }\n ]\n },\n {\n \"name\": \"Disabling Remote User Account Control\",\n \"id\": \"bbc644bc-37df-4e1a-9c88-ec9a53e2038c\",\n \"version\": 3,\n \"date\": \"2020-03-02\",\n \"description\": \"The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=\\\"*Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\LocalAccountTokenFilterPolicy\\\" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`\",\n \"known_false_positives\": \"This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1112\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Modify Registry\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Turla\",\n \"APT32\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Honeybee\",\n \"Patchwork\",\n \"Gorgon Group\",\n \"FIN8\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"disabling_remote_user_account_control_filter\"\n }\n ]\n },\n {\n \"name\": \"Dump LSASS via comsvcs DLL\",\n \"id\": \"8943b567-f14d-4ee8-a0bb-2121d4ce3184\",\n \"version\": 1,\n \"date\": \"2020-02-21\",\n \"description\": \"Detect the usage of comsvcs.dll for dumping the lsass process.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\",\n \"https://twitter.com/SBousseaden/status/1167417096374050817\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dump_lsass_via_comsvcs_dll_filter\"\n }\n ]\n },\n {\n \"name\": \"Execution of File with Multiple Extensions\",\n \"id\": \"b06a555e-dce0-417d-a2eb-28a5d8d66ef7\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the \\\"real\\\" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = *.doc.exe OR Processes.process = *.htm.exe OR Processes.process = *.html.exe OR Processes.process = *.txt.exe OR Processes.process = *.pdf.exe OR Processes.process = *.doc.exe by Processes.dest Processes.user Processes.process Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows File Extension and Association Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"PR.PT\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"execution_of_file_with_multiple_extensions_filter\"\n }\n ]\n },\n {\n \"name\": \"Execution of File With Spaces Before Extension\",\n \"id\": \"ab0353e6-a956-420b-b724-a8b4846d5d5a\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \\\"* .*\\\" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows File Extension and Association Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"PR.PT\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"execution_of_file_with_spaces_before_extension_filter\"\n }\n ]\n },\n {\n \"name\": \"Extended Period Without Successful Netbackup Backups\",\n \"id\": \"a34aae96-ccf8-4aef-952c-3ea214444440\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This search returns a list of hosts that have not successfully completed a backup in over a week.\",\n \"how_to_implement\": \"To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`netbackup` MESSAGE=\\\"Disk/Partition backup completed successfully.\\\" | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), \\\"-7d@d\\\"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor Backup Solution\"\n ],\n \"cis20\": [\n \"CIS 10\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=\\\"netbackup_logs\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"netbackup\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"extended_period_without_successful_netbackup_backups_filter\"\n }\n ]\n },\n {\n \"name\": \"File with Samsam Extension\",\n \"id\": \"02c6cfc2-ae66-4735-bfc7-6291da834cbf\",\n \"version\": 1,\n \"date\": \"2018-12-14\",\n \"description\": \"The search looks for file writes with extensions consistent with a SamSam ransomware attack.\",\n \"how_to_implement\": \"You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \\\"(?\\\\.[^\\\\.]+)$\\\" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter`\",\n \"known_false_positives\": \"Because these extensions are not typically used in normal operations, you should investigate all results.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"file_with_samsam_extension_filter\"\n }\n ]\n },\n {\n \"name\": \"First Time Seen Child Process of Zoom\",\n \"id\": \"e91bd102-d630-4e76-ab73-7e3ba22c5961\",\n \"version\": 1,\n \"date\": \"2020-05-20\",\n \"description\": \"This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You should run the baseline search `Previously Seen Zoom Child Processes - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Zoom Child Processes - Update` to keep this table up to date and to age out old child processes. Please update the `previously_seen_zoom_child_processes_window` macro to adjust the time window.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \\\"`previously_seen_zoom_child_processes_window`\\\") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`\",\n \"known_false_positives\": \"A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Zoom Child Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1068\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exploitation for Privilege Escalation\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Whitefly\",\n \"APT33\",\n \"Cobalt Group\",\n \"PLATINUM\",\n \"FIN8\",\n \"APT32\",\n \"Threat Group-3390\",\n \"FIN6\",\n \"APT28\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Zoom Child Processes - Initial\",\n \"id\": \"60b9c00f-a9d6-4e51-803c-5d63ea21b95b\",\n \"version\": 1,\n \"date\": \"2020-05-20\",\n \"description\": \"This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS). This table is then cached.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time) as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest| `drop_dm_object_name(Processes)` | table dest, process_name, firstTimeSeen, lastTimeSeen | outputlookup zoom_first_time_child_process\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Zoom Child Processes\"\n ],\n \"detections\": [\n \"First Time Seen Child Process of Zoom\"\n ],\n \"deployments\": [\n \"90 Day Baseline\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Zoom Child Processes - Update\",\n \"id\": \"80aea7fd-5da2-4533-b3c2-560533bfbaee\",\n \"version\": 1,\n \"date\": \"2020-05-20\",\n \"description\": \"This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS) within the last hour. It then updates this information with historical data and filters out proces_name and endpoint pairs that have not been seen within the specified time window. This updated table is outputed to disk.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time) as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest| `drop_dm_object_name(Processes)` | table firstTimeSeen, lastTimeSeen, process_name, dest | inputlookup zoom_first_time_child_process append=t | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by process_name, dest | where lastTimeSeen > relative_time(now(), \\\"`previously_seen_zoom_child_processes_forget_window`\\\") | outputlookup zoom_first_time_child_process\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Zoom Child Processes\"\n ],\n \"detections\": [\n \"First Time Seen Child Process of Zoom\"\n ],\n \"deployments\": [\n \"Hourly Cache Updates\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"description\": \"Use this macro to determine how far back you should be checking for new zoom child processes\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_zoom_child_processes_window\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_child_process_of_zoom_filter\"\n }\n ]\n },\n {\n \"name\": \"First time seen command line argument - SSA\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd23\",\n \"version\": 1,\n \"date\": \"2020-6-25\",\n \"description\": \"This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen. This is an implementation on SPL2 of the rule `First time seen command line argument` by @bpatel.\",\n \"how_to_implement\": \"You must be populating the endpoint data model for SSA and specifically the process_name and the process fields\",\n \"author\": \"Ignacio Bermudez Corrales, Splunk\",\n \"type\": \"SSA\",\n \"search\": \"| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)) | eval dest_user_id=ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), dest_device_id=ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null), process_name=ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null), cmd_line=lower(ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null)) | where process_name=\\\"cmd.exe\\\" AND match_regex(ucast(cmd_line, \\\"string\\\", \\\"\\\"), /.* \\\\/[cC] .*/)=true | first_time_event cache_partitions=5 input_columns=\\\"cmd_line\\\" | where first_time_cmd_line | eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"eli5\": \"The subsearch returns all events where `cmd.exe` was used with a `/c` parameter in the command-line arguments to execute other commands/programs. It appends the historical data to those results in the lookup file. Next, it recalculates the `firstTime` and `lastTime` field for command-line execution and outputs this data to the lookup file to update the local cache. It returns only those events that have first been seen in the past one hour. This is combined with the main search to return the time, user, destination, process, parent process, and value of the command-line argument.\",\n \"known_false_positives\": \"Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name\",\n \"tags\": {\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"mitre_attack\": [\n \"Execution\",\n \"Scripting\",\n \"Persistence\",\n \"Command-Line Interface\"\n ],\n \"mitre_technique_id\": [\n \"T1059\",\n \"T1117\",\n \"T1202\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"risk_severity\": \"low\",\n \"security_domain\": \"endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"First time seen command line argument\",\n \"id\": \"9be56c82-b1cc-4318-87eb-q138afaaqa39\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. Please make sure you run the support search \\\"Previously seen command line arguments,\\\"—which creates a lookup file called `previously_seen_cmd_line_arguments.csv`—a historical baseline of all command-line arguments. You must also validate this list. For the search to do accurate calculation, ensure the search scheduling is the same value as the `relative_time` evaluation function.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` \",\n \"known_false_positives\": \"Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Suspicious Command-Line Executions\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Hidden Cobra Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\",\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\",\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\",\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_command_line_argument_filter\"\n }\n ]\n },\n {\n \"name\": \"First Time Seen Running Windows Service\",\n \"id\": \"823136f2-d755-4b6d-ae04-372b486a5808\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_service_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \\\"`previously_seen_windows_service_window`\\\") | table _time dest service | `first_time_seen_running_windows_service_filter`\",\n \"known_false_positives\": \"A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"Orangeworm Attack Group\"\n ],\n \"mitre_attack_id\": [\n \"T1569.002\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\",\n \"CIS 9\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.AC\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Service Execution\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT41\",\n \"Silence\",\n \"FIN6\",\n \"APT32\",\n \"Honeybee\",\n \"Ke3chang\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Running Windows Services - Initial\",\n \"id\": \"64ce0ade-cb01-4678-bddd-d31c0b175394\",\n \"version\": 3,\n \"date\": \"2020-06-23\",\n \"description\": \"This collects the services that have been started across your entire enterprise.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | outputlookup previously_seen_running_windows_services\",\n \"tags\": {\n \"analytics_story\": [\n \"Orangeworm Attack Group\",\n \"Windows Service Abuse\"\n ],\n \"detections\": [\n \"First Time Seen Running Windows Service\"\n ],\n \"deployments\": [\n \"90 Day Baseline\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Running Windows Services - Update\",\n \"id\": \"2e3bdd68-1863-46ee-81f8-87273eee7f1c\",\n \"version\": 3,\n \"date\": \"2020-06-23\",\n \"description\": \"This search returns the first and last time a Windows service was seen across your enterprise within the last hour. It then updates this information with historical data and filters out Windows services pairs that have not been seen within the specified time window. This updated table is then cached.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | inputlookup previously_seen_running_windows_services append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen by service | where lastTimeSeen > relative_time(now(), \\\"`previously_seen_windows_service_forget_window`\\\") | outputlookup previously_seen_running_windows_services\",\n \"tags\": {\n \"analytics_story\": [\n \"Orangeworm Attack Group\",\n \"Windows Service Abuse\"\n ],\n \"detections\": [\n \"First Time Seen Running Windows Service\"\n ],\n \"deployments\": [\n \"Hourly Cache Updates\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_system\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_system\"\n },\n {\n \"description\": \"Use this macro to determine how far back you should be checking for new Windows services\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_windows_service_window\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_running_windows_service_filter\"\n }\n ]\n },\n {\n \"name\": \"Hiding Files And Directories With Attrib exe\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6b5264g9f\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `hiding_files_and_directories_with_attrib_exe_filter` \",\n \"known_false_positives\": \"Some applications and users may legitimately use attrib.exe to interact with the files. \",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1222.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [\n \"Windows File and Directory Permissions Modification\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"hiding_files_and_directories_with_attrib_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Kerberoasting spn request with RC4 encryption\",\n \"id\": \"5cc67381-44fa-4111-8a37-7a230943f027\",\n \"version\": 3,\n \"date\": \"2020-10-16\",\n \"description\": \"This search detects a potential kerberoasting attack via service principal name requests\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, and include the windows security event logs that contain kerberos\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1208/T1208.md\",\n \"https://www.trimarcsecurity.com/post/trimarcresearch-detecting-kerberoasting-activity\"\n ],\n \"author\": \"Jose Hernandez, Patrick Bareiss, Splunk\",\n \"search\": \"`wineventlog_security` EventCode=4769 Ticket_Options=0x40810000 Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`\",\n \"known_false_positives\": \"Older systems that support kerberos RC4 by default NetApp may generate false positives\",\n \"tags\": {\n \"analytics_story\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1558.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"automated_detection_testing\": \"passed\",\n \"dataset\": [\n \"https://attack-range-attack-data.s3-us-west-2.amazonaws.com/T1558.003/windows-security.log\"\n ],\n \"mitre_attack_technique\": [\n \"Kerberoasting\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kerberoasting_spn_request_with_rc4_encryption_filter\"\n }\n ]\n },\n {\n \"name\": \"MacOS - Re-opened Applications\",\n \"id\": \"40bb64f9-f619-4e3d-8732-328d40377c4b\",\n \"version\": 1,\n \"date\": \"2020-02-07\",\n \"description\": \"This search looks for processes referencing the plist files that determine which applications are re-opened when a user reboots their machine.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest process data from your osquery deployed agents with the [splunk.conf](https://github.com/splunk/TA-osquery/blob/master/config/splunk.conf) pack enabled. Also the [TA-OSquery](https://github.com/splunk/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the data populate the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jamie Windley, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=\\\"*com.apple.loginwindow*\\\" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`\",\n \"known_false_positives\": \"At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be whitelisted.\",\n \"tags\": {\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"macos___re_opened_applications_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process - Connect To Internet With Hidden Window\",\n \"id\": \"ee18ed37-0802-4268-9435-b3b91aaa18db\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet. This combination of command-line options is suspicious because it's overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\\\"*-Exec*\\\" process=\\\"*-WindowStyle*\\\" process=\\\"*hidden*\\\" process=\\\"*New-Object*\\\" process=\\\"*System.Net.WebClient*\\\" | `malicious_powershell_process___connect_to_internet_with_hidden_window_filter`\",\n \"known_false_positives\": \"Legitimate process can have this combination of command-line options, but it's not common.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process___connect_to_internet_with_hidden_window_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process - Encoded Command\",\n \"id\": \"c4db14d9-7909-48b4-a054-aa14d89dbb19\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes that have encoded the script within the command-line. Malware has been seen using this parameter, as it obfuscates the code and makes it relatively easy to pass a script on the command-line.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = powershell.exe (Processes.process=*-EncodedCommand* OR Processes.process=*-enc*) by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `malicious_powershell_process___encoded_command_filter`\",\n \"known_false_positives\": \"System administrators may use this option, but it's not common.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\"\n ],\n \"mitre_attack_id\": [\n \"T1027\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Obfuscated Files or Information\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Rocke\",\n \"Sandworm Team\",\n \"Blue Mockingbird\",\n \"Whitefly\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Mofang\",\n \"Frankenstein\",\n \"Inception\",\n \"APT-C-36\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Turla\",\n \"TA505\",\n \"Silence\",\n \"APT33\",\n \"Night Dragon\",\n \"Darkhotel\",\n \"Gallmaker\",\n \"APT29\",\n \"APT18\",\n \"Tropic Trooper\",\n \"Cobalt Group\",\n \"Patchwork\",\n \"Leafminer\",\n \"APT37\",\n \"Threat Group-3390\",\n \"Honeybee\",\n \"Dark Caracal\",\n \"menuPass\",\n \"APT19\",\n \"BlackOasis\",\n \"FIN8\",\n \"Leviathan\",\n \"Elderwood\",\n \"MuddyWater\",\n \"FIN7\",\n \"Magic Hound\",\n \"OilRig\",\n \"APT3\",\n \"APT32\",\n \"Group5\",\n \"Dust Storm\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process___encoded_command_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process - Execution Policy Bypass\",\n \"id\": \"9be56c82-b1cc-4318-87eb-d138afaaca39\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe AND (Processes.process=\\\"* -ex*\\\" OR Processes.process=\\\"* bypass *\\\") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`\",\n \"known_false_positives\": \"There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process___execution_policy_bypass_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process - Multiple Suspicious Command-Line Arguments\",\n \"id\": \"2cdb91d2-542c-497f-b252-be495e71f38c\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* AND process=*-NonI* | `malicious_powershell_process___multiple_suspicious_command_line_arguments_filter`\",\n \"known_false_positives\": \"Legitimate process can have this combination of command-line options, but it's not common.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process___multiple_suspicious_command_line_arguments_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process With Obfuscation Techniques\",\n \"id\": \"cde75cf6-3c7a-4dd6-af01-27cdb4511fd4\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process, \\\"`\\\"))-1) + (mvcount(split(process, \\\"^\\\"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 0\",\n \"known_false_positives\": \"These characters might be legitimately on the command-line, but it is not common.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process_with_obfuscation_techniques_filter\"\n }\n ]\n },\n {\n \"name\": \"Monitor Registry Keys for Print Monitors\",\n \"id\": \"f5f6af30-7ba7-4295-bfe9-07de87c01bbc\",\n \"version\": 1,\n \"date\": \"2018-11-02\",\n \"description\": \"This search looks for registry activity associated with modifications to the registry key `HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.action=modified AND Registry.registry_path=\\\"*CurrentControlSet\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors*\\\" by Registry.dest, Registry.registry_key_name Registry.status Registry.user Registry.registry_path Registry.action | `drop_dm_object_name(Registry)` | `monitor_registry_keys_for_print_monitors_filter`\",\n \"known_false_positives\": \"You will encounter noise from legitimate print-monitor registry entries.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"monitor_registry_keys_for_print_monitors_filter\"\n }\n ]\n },\n {\n \"name\": \"Osquery pack - ColdRoot detection\",\n \"id\": \"a6fffe5e-05c3-4c04-badc-887607fbb8dc\",\n \"version\": 1,\n \"date\": \"2019-01-29\",\n \"description\": \"This search looks for ColdRoot events from the osx-attacks osquery pack.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`\",\n \"known_false_positives\": \"There are no known false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"ColdRoot MacOS RAT\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 4\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.PT\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"osquery_pack___coldroot_detection_filter\"\n }\n ]\n },\n {\n \"name\": \"Overwriting Accessibility Binaries\",\n \"id\": \"13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries.\",\n \"how_to_implement\": \"You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sethc.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\utilman.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\osk.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Magnify.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Narrator.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DisplaySwitch.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`\",\n \"known_false_positives\": \"Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Privilege Escalation\"\n ],\n \"mitre_attack_id\": [\n \"T1546.008\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Accessibility Features\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"overwriting_accessibility_binaries_filter\"\n }\n ]\n },\n {\n \"name\": \"Process Execution via WMI\",\n \"id\": \"24869767-8579-485d-9a4f-d9ddfd8f0cac\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"This search looks for processes launched via WMI.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name = *WmiPrvSE.exe by Processes.user Processes.dest Processes.process_name | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `process_execution_via_wmi_filter` \",\n \"known_false_positives\": \"Although unlikely, administrators may use wmi to execute commands for legitimate purposes.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"process_execution_via_wmi_filter\"\n }\n ]\n },\n {\n \"name\": \"Processes created by netsh\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dbb162041e\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process=\\\"*C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\netsh.exe*\\\" AND Processes.process_path!=\\\"C:\\\\\\\\Program Files\\\\\\\\rempl\\\\\\\\sedlauncher.exe\\\") by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`\",\n \"known_false_positives\": \"It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude \\\"C:\\\\Program Files\\\\rempl\\\\sedlauncher.exe\\\" process path since it is a legitimate process by Mircosoft.\",\n \"tags\": {\n \"analytics_story\": [\n \"Netsh Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\",\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\",\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\",\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"processes_created_by_netsh_filter\"\n }\n ]\n },\n {\n \"name\": \"Processes launching netsh\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dbb162040e\",\n \"version\": 3,\n \"date\": \"2020-07-10\",\n \"description\": \"This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Josef Kuepker, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.user Processes.dest |`drop_dm_object_name(\\\"Processes\\\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`\",\n \"known_false_positives\": \"Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.\",\n \"tags\": {\n \"analytics_story\": [\n \"Netsh Abuse\",\n \"Disabling Security Tools\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1562.004\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Disable or Modify System Firewall\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Lazarus Group\",\n \"Kimsuky\",\n \"Dragonfly 2.0\",\n \"Carbanak\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of SMB Traffic - MLTK\",\n \"id\": \"df98763b-0b08-4281-8ef9-08db7ac572a9\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.\",\n \"how_to_implement\": \"You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \\\"src\\\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(\\\"All_Traffic\\\")` | fit DensityFunction count by \\\"HourOfDay,DayOfWeek\\\" into smb_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Ransomware\"\n ],\n \"detections\": [\n \"Processes launching netsh\",\n \"SMB Traffic Spike - MLTK\"\n ]\n }\n },\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"processes_launching_netsh_filter\"\n }\n ]\n },\n {\n \"name\": \"Processes Tapping Keyboard Events\",\n \"id\": \"2a371608-331d-4034-ae2c-21dda8f1d0ec\",\n \"version\": 1,\n \"date\": \"2019-01-25\",\n \"description\": \"This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`\",\n \"known_false_positives\": \"There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.\",\n \"tags\": {\n \"analytics_story\": [\n \"ColdRoot MacOS RAT\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 4\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.DP\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"processes_tapping_keyboard_events_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Prohibited Applications Spawning cmd exe - SSA\",\n \"id\": \"c10a18cb-fd80-4ffa-a844-25026e0a0c94\",\n \"version\": 1,\n \"date\": \"2020-7-13\",\n \"description\": \"This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe. This is a SPL2 implementation of the rule `Detect Prohibited Applications Spawning cmd.exe` by @bpatel.\",\n \"how_to_implement\": \"You must be ingesting sysmon logs. This search has been modified to process raw sysmon data from attack_range's nxlogs on DSP.\",\n \"author\": \"Ignacio Bermudez Corrales, Splunk\",\n \"type\": \"SSA\",\n \"search\": \"| from read_ssa_enriched_events()\\n| eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)) | eval process_name=ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null), parent_process=lower(ucast(map_get(input_event, \\\"parent_process_name\\\"), \\\"string\\\", null)), dest_user_id=ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), dest_device_id=ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null)\\n| where process_name=\\\"cmd.exe\\\" | rex field=parent_process \\\"(?[^\\\\\\\\\\\\\\\\]+)$\\\" | where field0=\\\"winword.exe\\\" OR field0=\\\"excel.exe\\\" OR field0=\\\"outlook.exe\\\" OR field0=\\\"powerpnt.exe\\\" OR field0=\\\"visio.exe\\\" OR field0=\\\"mspub.exe\\\" OR field0=\\\"acrobat.exe\\\" OR field0=\\\"acrord32.exe\\\" OR field0=\\\"chrome.exe\\\" OR field0=\\\"iexplore.exe\\\" OR field0=\\\"opera.exe\\\" OR field0=\\\"firefox.exe\\\" OR field0=\\\"java.exe\\\" OR field0=\\\"powershell.exe\\\"\\n| eval start_time=timestamp, end_time=timestamp, entities=mvappend(dest_device_id, dest_user_id), body=\\\"TBD\\\" | into write_ssa_detected_events();\",\n \"eli5\": \"Obtaining access to the Command-Line Interface (CLI) is typically a primary attacker goal. Once an attacker has obtained the ability to execute code on a target system, they will often further manipulate the system via commands passed to the CLI. It is also unusual for many applications to spawn a command shell during normal operation, while it is often observed if an application has been compromised in some way. As such, it is often beneficial to look for cmd.exe being executed by processes that are often targeted for exploitation, or that would not spawn cmd.exe in any other circumstances. A lookup file is provided to easily modify the processes that are being watched for execution of cmd.exe.\",\n \"known_false_positives\": \"There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.\",\n \"tags\": {\n \"cis20\": [\n \"CIS 8\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"mitre_technique_id\": [\n \"T1059\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"risk_severity\": \"low\",\n \"security_domain\": \"endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"Prohibited Software On Endpoint\",\n \"id\": \"a51bfe1a-94f0-48cc-b4e4-b6ae50145893\",\n \"version\": 2,\n \"date\": \"2019-10-11\",\n \"description\": \"This search looks for applications on the endpoint that you have marked as prohibited.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings. In addition, you must also have only the `process_name` (not the entire process path) marked as \\\"prohibited\\\" in the Enterprise Security `interesting processes` table. To include the process names marked as \\\"prohibited\\\", which is included with ES Content Updates, run the included search Add Prohibited Processes to Enterprise Security.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_softwares` | `prohibited_software_on_endpoint_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor for Unauthorized Software\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Add Prohibited Processes to Enterprise Security\",\n \"id\": \"251930a5-1451-4428-bb13-eed5775be0ce\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search takes the existing interesting process table from ES, filters out any existing additions added by ESCU and then updates the table with processes identified by ESCU that should be prohibited on your endpoints.\",\n \"how_to_implement\": \"This search should be run on each new install of ESCU.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| inputlookup interesting_processes_lookup | search note!=ESCU* | inputlookup append=T prohibitedProcesses_lookup | fillnull value=* dest dest_pci_domain | fillnull value=false is_required is_secure | fillnull value=true is_prohibited | outputlookup interesting_processes_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Monitor for Unauthorized Software\",\n \"SamSam Ransomware\"\n ],\n \"detections\": [\n \"Prohibited Software On Endpoint\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup interesting_processes_lookup app as process_name OUTPUT is_prohibited | search is_prohibited=True\",\n \"description\": \"This macro limits the output to process_names that have been marked as prohibited\",\n \"name\": \"prohibited_softwares\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"prohibited_software_on_endpoint_filter\"\n }\n ]\n },\n {\n \"name\": \"Reg exe Manipulating Windows Services Registry Keys\",\n \"id\": \"8470d755-0c13-45b3-bd63-387a373c10cf\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for reg.exe modifying registry keys that define Windows services and their configurations.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`\",\n \"known_false_positives\": \"It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"reg_exe_manipulating_windows_services_registry_keys_filter\"\n }\n ]\n },\n {\n \"name\": \"Reg exe used to hide files directories via registry keys\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6b5264x9f\",\n \"version\": 2,\n \"date\": \"2019-02-27\",\n \"description\": \"The search looks for command-line arguments used to hide a file or directory using the reg add command.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process=\\\"*add*\\\" Processes.process=\\\"*Hidden*\\\" Processes.process=\\\"*REG_DWORD*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = \\\"(/d\\\\s+2)\\\" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`\",\n \"known_false_positives\": \"None at the moment\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"reg_exe_used_to_hide_files_directories_via_registry_keys_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys for Creating SHIM Databases\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01bbb\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.\",\n \"how_to_implement\": \"To successfully implement this search, you must populate the Change_Analysis data model. This is typically populated via endpoint detection and response products, such as Carbon Black or other endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path=\\\"*CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom*\\\" OR All_Changes.object_path=\\\"*CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\InstalledSDB*\\\") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `drop_dm_object_name(\\\"All_Changes\\\")` | `registry_keys_for_creating_shim_databases_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1546.011\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Application Shimming\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_for_creating_shim_databases_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Persistence\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01a4b\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for modifications to registry keys that can be used to launch an application or service at system startup.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\\\\\\\run* OR Registry.registry_path=*currentVersion\\\\\\\\Windows\\\\\\\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet* OR Registry.registry_path=*currentversion\\\\\\\\policies\\\\\\\\explorer\\\\\\\\run* OR Registry.registry_path=*currentversion\\\\\\\\runservices* OR Registry.registry_path=*\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\* OR Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\" OR Registry.registry_path=HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Netsh\\\\\\\\*) by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_persistence_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Suspicious MSHTA Activity\",\n \"DHS Report TA18-074A\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Windows Persistence Techniques\",\n \"Emotet Malware DHS Report TA18-201A \"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_persistence_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Privilege Escalation\",\n \"id\": \"c9f4b923-f8af-4155-b697-1354f5bcbc5e\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under \\\"Image File Execution Options\\\" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/\"\n ],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) by Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_privilege_escalation_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Privilege Escalation\",\n \"Suspicious Windows Registry Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_privilege_escalation_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Desktop Process Running On System\",\n \"id\": \"f5939373-8054-40ad-8c64-cec478a22a4a\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. The search requires you to identify systems that do not commonly use remote desktop. You can use the included support search \\\"Identify Systems Using Remote Desktop\\\" to identify these systems. After identifying them, you will need to add the \\\"common_rdp_source\\\" category to that system using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in `SA-IdentityManagement/lookups`.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter` \",\n \"known_false_positives\": \"Remote Desktop may be used legitimately by users on the network.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 9\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_desktop_process_running_on_system_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Process Instantiation via WMI\",\n \"id\": \"d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for wmic.exe being launched with parameters to spawn a process on a remote system.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wmic.exe Processes.process=\\\"*/node*\\\" Processes.process=\\\"*process*\\\" Processes.process=\\\"*call*\\\" Processes.process=\\\"*create*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`\",\n \"known_false_positives\": \"The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon.\",\n \"tags\": {\n \"analytics_story\": [\n \"Ransomware\",\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_process_instantiation_via_wmi_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Registry Key modifications\",\n \"id\": \"c9f4b923-f8af-4155-b697-1354f5dcbc5e\",\n \"version\": 3,\n \"date\": \"2020-03-02\",\n \"description\": \"This search monitors for remote modifications to registry keys.\",\n \"how_to_implement\": \"To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=\\\"\\\\\\\\\\\\\\\\*\\\" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`\",\n \"known_false_positives\": \"This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_registry_key_modifications_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote WMI Command Attempt\",\n \"id\": \"272df6de-61f1-4784-877c-1fbc3e2d0838\",\n \"version\": 2,\n \"date\": \"2018-12-03\",\n \"description\": \"This search looks for wmic.exe being launched with parameters to operate on remote systems.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe AND Processes.process= */node* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`\",\n \"known_false_positives\": \"Administrators may use this legitimately to gather info from remote systems.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_wmi_command_attempt_filter\"\n }\n ]\n },\n {\n \"name\": \"RunDLL Loading DLL By Ordinal\",\n \"id\": \"6c135f8d-5e60-454e-80b7-c56eed739833\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for DLLs under %AppData% being loaded by rundll32.exe that are calling the exported function at ordinal 2. Calling exported functions by ordinal is not as common as calling by exported name. There was a bug fixed in IDAPro on 2016-08-08 that would not display functions without names. Calling functions by ordinal would overcome the lack of name and make it harder for analyst to reverse engineer.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = rundll32.exe Processes.process=\\\"*AppData*\\\" Processes.process=\\\"*,#2\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll_loading_dll_by_ordinal_filter`\",\n \"known_false_positives\": \"While not common, loading a DLL under %AppData% and calling a function by ordinal is possible by a legitimate process\",\n \"tags\": {\n \"analytics_story\": [\n \"Unusual Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1218.011\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Rundll32\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"Sandworm Team\",\n \"Blue Mockingbird\",\n \"TA505\",\n \"MuddyWater\",\n \"APT29\",\n \"APT19\",\n \"CopyKittens\",\n \"APT3\",\n \"Carbanak\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"rundll_loading_dll_by_ordinal_filter\"\n }\n ]\n },\n {\n \"name\": \"Samsam Test File Write\",\n \"id\": \"69c12d59-d951-431e-ab77-ec426b8d65e6\",\n \"version\": 1,\n \"date\": \"2018-12-14\",\n \"description\": \"The search looks for a file named \\\"test.txt\\\" written to the windows system directory tree, which is consistent with Samsam propagation.\",\n \"how_to_implement\": \"You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\\\\\\\windows\\\\\\\\system32\\\\\\\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`\",\n \"known_false_positives\": \"No false positives have been identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"samsam_test_file_write_filter\"\n }\n ]\n },\n {\n \"name\": \"Sc exe Manipulating Windows Services\",\n \"id\": \"f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\\\"* create *\\\" OR Processes.process=\\\"* config *\\\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`\",\n \"known_false_positives\": \"Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"DHS Report TA18-074A\",\n \"Orangeworm Attack Group\",\n \"Windows Persistence Techniques\",\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1543.003\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"DarkVishnya\",\n \"Wizard Spider\",\n \"APT32\",\n \"APT41\",\n \"Kimsuky\",\n \"Tropic Trooper\",\n \"Cobalt Group\",\n \"Ke3chang\",\n \"Honeybee\",\n \"FIN7\",\n \"Threat Group-3390\",\n \"APT19\",\n \"APT3\",\n \"Lazarus Group\",\n \"Carbanak\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"sc_exe_manipulating_windows_services_filter\"\n }\n ]\n },\n {\n \"name\": \"Scheduled Task Name Used by Dragonfly Threat Actors\",\n \"id\": \"d5af132c-7c17-439c-9d31-13d55340f36c\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for flags passed to schtasks.exe on the command-line that indicate a task name associated with the Dragonfly threat actor was created or deleted.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search (process=*delete* OR process=*create*) process=*reset* | `scheduled_task_name_used_by_dragonfly_threat_actors_filter` \",\n \"known_false_positives\": \"No known false positives\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1053.005\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Scheduled Task\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT-C-36\",\n \"BRONZE BUTLER\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Silence\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Dragonfly 2.0\",\n \"Patchwork\",\n \"OilRig\",\n \"Rancor\",\n \"Cobalt Group\",\n \"FIN8\",\n \"menuPass\",\n \"FIN10\",\n \"APT32\",\n \"FIN7\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"APT3\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"scheduled_task_name_used_by_dragonfly_threat_actors_filter\"\n }\n ]\n },\n {\n \"name\": \"Scheduled tasks used in BadRabbit ransomware\",\n \"id\": \"1297fb80-f42a-4b4a-9c8b-78c066437cf6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= \\\"*create*\\\" OR Processes.process= \\\"*delete*\\\") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`\",\n \"known_false_positives\": \"No known false positives\",\n \"tags\": {\n \"analytics_story\": [\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1053.005\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Scheduled Task\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT-C-36\",\n \"BRONZE BUTLER\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Silence\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Dragonfly 2.0\",\n \"Patchwork\",\n \"OilRig\",\n \"Rancor\",\n \"Cobalt Group\",\n \"FIN8\",\n \"menuPass\",\n \"FIN10\",\n \"APT32\",\n \"FIN7\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"APT3\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"scheduled_tasks_used_in_badrabbit_ransomware_filter\"\n }\n ]\n },\n {\n \"name\": \"Schtasks scheduling job on remote system\",\n \"id\": \"1297fb80-f42a-4b4a-9c8a-88c066237cf6\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for flags passed to schtasks.exe on the command-line that indicate a job is being scheduled on a remote system.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = schtasks.exe Processes.process=\\\"*/create*\\\" Processes.process=\\\"* /s *\\\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter`\",\n \"known_false_positives\": \"Administrators may create jobs on remote systems, but this activity is usually limited to a small set of hosts or users. It is important to validate and investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1053.005\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Scheduled Task\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT-C-36\",\n \"BRONZE BUTLER\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Silence\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Dragonfly 2.0\",\n \"Patchwork\",\n \"OilRig\",\n \"Rancor\",\n \"Cobalt Group\",\n \"FIN8\",\n \"menuPass\",\n \"FIN10\",\n \"APT32\",\n \"FIN7\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"APT3\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"schtasks_scheduling_job_on_remote_system_filter\"\n }\n ]\n },\n {\n \"name\": \"Schtasks used for forcing a reboot\",\n \"id\": \"1297fb80-f42a-4b4a-9c8a-88c066437cf6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system is scheduled.\",\n \"how_to_implement\": \"To successfully implement this search you need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = schtasks.exe Processes.process=\\\"*shutdown*\\\" Processes.process=\\\"*/r*\\\" Processes.process=\\\"*/f*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`\",\n \"known_false_positives\": \"Administrators may create jobs on systems forcing reboots to perform updates, maintenance, etc.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Persistence Techniques\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1053.005\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Scheduled Task\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT-C-36\",\n \"BRONZE BUTLER\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Silence\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Dragonfly 2.0\",\n \"Patchwork\",\n \"OilRig\",\n \"Rancor\",\n \"Cobalt Group\",\n \"FIN8\",\n \"menuPass\",\n \"FIN10\",\n \"APT32\",\n \"FIN7\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"APT3\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"schtasks_used_for_forcing_a_reboot_filter\"\n }\n ]\n },\n {\n \"name\": \"Script Execution via WMI\",\n \"id\": \"aa73f80d-d728-4077-b226-81ea0c8be589\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"This search looks for scripts launched via WMI.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name = \\\"scrcons.exe\\\" by Processes.user Processes.dest Processes.process_name | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `script_execution_via_wmi_filter` \",\n \"known_false_positives\": \"Although unlikely, administrators may use wmi to launch scripts for legitimate purposes.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"script_execution_via_wmi_filter\"\n }\n ]\n },\n {\n \"name\": \"Shim Database File Creation\",\n \"id\": \"6e4c4588-ba2f-42fa-97e6-9f6f548eaa33\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.\",\n \"how_to_implement\": \"You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\\\AppPatch\\\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter`\",\n \"known_false_positives\": \"Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1546.011\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Application Shimming\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"shim_database_file_creation_filter\"\n }\n ]\n },\n {\n \"name\": \"Shim Database Installation With Suspicious Parameters\",\n \"id\": \"404620de-46d8-48b6-90cc-8a8d7b0876a3\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe Processes.process=\\\"*-p*\\\" Processes.process=\\\"*-q*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1546.011\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Application Shimming\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"shim_database_installation_with_suspicious_parameters_filter\"\n }\n ]\n },\n {\n \"name\": \"Short Lived Windows Accounts\",\n \"id\": \"b25f6f62-0782-43c1-b403-083231ffd97d\",\n \"version\": 2,\n \"date\": \"2020-07-06\",\n \"description\": \"This search detects accounts that were created and deleted in a short time period.\",\n \"how_to_implement\": \"This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\\\"All_Changes\\\")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter`\",\n \"known_false_positives\": \"It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised.\",\n \"tags\": {\n \"analytics_story\": [\n \"Account Monitoring and Controls\"\n ],\n \"mitre_attack_id\": [\n \"T1136.001\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Local Account\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"APT41\",\n \"Dragonfly 2.0\",\n \"Leafminer\",\n \"APT3\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"short_lived_windows_accounts_filter\"\n }\n ]\n },\n {\n \"name\": \"Single Letter Process On Endpoint\",\n \"id\": \"a4214f0b-e01c-41bc-8cc4-d2b71e3056b4\",\n \"version\": 2,\n \"date\": \"2019-04-01\",\n \"description\": \"This search looks for process names that consist only of a single letter.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == \\\".exe\\\", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter`\",\n \"known_false_positives\": \"Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process.\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"single_letter_process_on_endpoint_filter\"\n }\n ]\n },\n {\n \"name\": \"Spike in File Writes\",\n \"id\": \"fdb0f805-74e4-4539-8c00-618927333aae\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"The search looks for a sharp increase in the number of files written to a particular host\",\n \"how_to_implement\": \"In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response products, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \\\"-1d@d\\\"), count, null))) as \\\"count\\\" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter` \",\n \"known_false_positives\": \"It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"spike_in_file_writes_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Changes to File Associations\",\n \"id\": \"1b989a0e-0129-4446-a695-f193a5b746fc\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.\",\n \"how_to_implement\": \"To successfully implement this search you need to be ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` nodes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\\\\\\\Explorer\\\\\\\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name(\\\"Registry\\\")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` \",\n \"known_false_positives\": \"There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Windows File Extension and Association Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1546.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"PR.PT\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Change Default File Association\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"Kimsuky\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_changes_to_file_associations_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious File Write\",\n \"id\": \"57f76b8a-32f0-42ed-b358-d9fa3ca7bac8\",\n \"version\": 3,\n \"date\": \"2019-04-25\",\n \"description\": \"The search looks for files created with names that have been linked to malicious activity.\",\n \"how_to_implement\": \"You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter`\",\n \"known_false_positives\": \"It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup suspicious_writes_lookup file as file_name OUTPUT note as \\\"Reference\\\" | search \\\"Reference\\\" != False\",\n \"description\": \"This macro limites the output to file names that have been marked as suspicious\",\n \"name\": \"suspicious_writes\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_file_write_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Java Classes\",\n \"id\": \"if1fea6da-3c86-4c1d-b255-fc3b2781a491\",\n \"version\": 1,\n \"date\": \"2018-12-06\",\n \"description\": \"This search looks for suspicious Java classes that are often used to exploit remote command execution in common Java frameworks, such as Apache Struts.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"`stream_http` http_method=POST http_content_length>1 | regex form_data=\\\"(?i)java\\\\.lang\\\\.(?:runtime|processbuilder)\\\" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`\",\n \"known_false_positives\": \"There are no known false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"Apache Struts Vulnerability\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 7\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_java_classes_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious LNK file launching a process\",\n \"id\": \"5d814af1-1041-47b5-a9ac-d754e82e9a26\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for a ``*.lnk` file under `C:\\\\User*` or `*\\\\Local\\\\Temp\\\\*` executing a process. This is common behavior used by various spear phishing tools.\",\n \"how_to_implement\": \"You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon.\",\n \"type\": \"ESCU\",\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\\\"*.lnk\\\" AND (Filesystem.file_path=\\\"C:\\\\\\\\Users*\\\" OR Filesystem.file_path=\\\"*Local\\\\\\\\Temp*\\\") by _time span=1h Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_id as lnk_pid | join lnk_pid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_id Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process | `drop_dm_object_name(Processes)` | rename parent_process_id as lnk_pid | fields _time lnk_pid process_id dest process_name process_path process] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_pid, process_id, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `suspicious_lnk_file_launching_a_process_filter` \",\n \"known_false_positives\": \"This detection should yield little or no false positive results. It is uncommon for LNK files to execute process from temporary or user directories.\",\n \"tags\": {\n \"analytics_story\": [\n \"Phishing Payloads\"\n ],\n \"mitre_attack_id\": [\n \"T1566.002\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Spearphishing Link\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"Molerats\",\n \"Mofang\",\n \"BlackTech\",\n \"Machete\",\n \"Kimsuky\",\n \"TA505\",\n \"Stolen Pencil\",\n \"APT39\",\n \"FIN4\",\n \"APT32\",\n \"Night Dragon\",\n \"Turla\",\n \"APT28\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"OilRig\",\n \"APT33\",\n \"Elderwood\",\n \"Leviathan\",\n \"Magic Hound\",\n \"Patchwork\",\n \"APT29\",\n \"FIN8\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_lnk_file_launching_a_process_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Reg exe Process\",\n \"id\": \"a6b3ab4e-dd77-4213-95fa-fc94701995e0\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://car.mitre.org/wiki/CAR-2013-03-001\"\n ],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter` \",\n \"known_false_positives\": \"It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Disabling Security Tools\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1112\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Modify Registry\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Turla\",\n \"APT32\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Honeybee\",\n \"Patchwork\",\n \"Gorgon Group\",\n \"FIN8\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_reg_exe_process_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious wevtutil Usage\",\n \"id\": \"2827c0fd-e1be-4868-ae25-59d28e0f9d4f\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, or system event logs.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wevtutil.exe Processes.process=\\\"*cl*\\\" (Processes.process=\\\"*System*\\\" OR Processes.process=\\\"*Security*\\\" OR Processes.process=\\\"*Setup*\\\" OR Processes.process=\\\"*Application*\\\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`\",\n \"known_false_positives\": \"The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1070.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 6\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [\n \"Clear Windows Event Logs\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT32\",\n \"FIN8\",\n \"FIN5\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_wevtutil_usage_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious writes to System Volume Information\",\n \"id\": \"cd6297cd-2bdd-4aa1-84aa-5d2f84228fac\",\n \"version\": 2,\n \"date\": \"2020-07-22\",\n \"description\": \"This search detects writes to the 'System Volume Information' folder by something other than the System process.\",\n \"how_to_implement\": \"You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\\\\ Volume\\\\ Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter`\",\n \"known_false_positives\": \"It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Collection and Staging\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_writes_to_system_volume_information_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious writes to windows Recycle Bin\",\n \"id\": \"b5541828-8ffd-4070-9d95-b3da4de924cb\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search detects writes to the recycle bin by a process other than explorer.exe.\",\n \"how_to_implement\": \"To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \\\"*$Recycle.Bin*\\\" by Filesystem.process_id Filesystem.dest | `drop_dm_object_name(\\\"Filesystem\\\")`| search [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != \\\"explorer.exe\\\" by Processes.process_id Processes.dest| `drop_dm_object_name(\\\"Processes\\\")` | table process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`\",\n \"known_false_positives\": \"Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Collection and Staging\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_writes_to_windows_recycle_bin_filter\"\n }\n ]\n },\n {\n \"name\": \"System Information Discovery Detection\",\n \"id\": \"8e99f89e-ae58-4ebc-bf52-ae0b1a277e72\",\n \"version\": 1,\n \"date\": \"2020-10-12\",\n \"description\": \"Detect system information discovery techniques used by attackers to understand configurations of the system to further exploit it.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://oscp.infosecsanyam.in/priv-escalation/windows-priv-escalation\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\\\"*wmic* qfe*\\\" OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | eventstats dc(process) as dc_processes_by_dest by dest | where dc_processes_by_dest > 2 | stats values(process) min(firstTime) as firstTime max(lastTime) as lastTime by user, dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `system_information_discovery_detection_filter`\",\n \"known_false_positives\": \"Administrators debugging servers\",\n \"tags\": {\n \"analytics_story\": [\n \"Discovery Techniques\"\n ],\n \"asset_type\": \"Windows\",\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1082\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"mitre_attack_technique\": [\n \"System Information Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Sandworm Team\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"Inception\",\n \"Kimsuky\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"Honeybee\",\n \"APT19\",\n \"APT37\",\n \"APT32\",\n \"Magic Hound\",\n \"OilRig\",\n \"APT3\",\n \"Sowbug\",\n \"Gamaredon Group\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"admin@338\",\n \"Turla\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"system_information_discovery_detection_filter\"\n }\n ]\n },\n {\n \"name\": \"System Process Running from Unexpected Location - SSA\",\n \"id\": \"28179107-099a-464a-94d3-08301e6c055f\",\n \"version\": 1,\n \"date\": \"2020-08-25\",\n \"description\": \"An attacker tries might try to use different version of a system command without overriding original, or they might try to avoid some detection running the process from a different folder. This detection checks that a list of system processes run inside C:\\\\\\\\Windows\\\\System32 or C:\\\\\\\\Windows\\\\SysWOW64 The list of system processes has been extracted from https://github.com/splunk/security-content/blob/develop/lookups/is_windows_system_file.csv and the original detection https://github.com/splunk/security-content/blob/develop/detections/system_processes_run_from_unexpected_locations.yml\",\n \"how_to_implement\": \"Collect endpoint data such as sysmon or 4688 events.\",\n \"references\": [],\n \"type\": \"SSA\",\n \"author\": \"Ignacio Bermudez Corrales, Splunk\",\n \"search\": \" | from read_ssa_enriched_events() | eval device=ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null), timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)), process_name=lower(ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null)), process_path=lower(ucast(map_get(input_event, \\\"process_path\\\"), \\\"string\\\", null)), | where process_name=\\\"arp.exe\\\" OR process_name=\\\"adaptertroubleshooter.exe\\\" OR process_name=\\\"applicationframehost.exe\\\" OR process_name=\\\"atbroker.exe\\\" OR process_name=\\\"authhost.exe\\\" OR process_name=\\\"autoworkplace.exe\\\" OR process_name=\\\"axinstui.exe\\\" OR process_name=\\\"backgroundtransferhost.exe\\\" OR process_name=\\\"bdehdcfg.exe\\\" OR process_name=\\\"bdeuisrv.exe\\\" OR process_name=\\\"bdeunlockwizard.exe\\\" OR process_name=\\\"bitlockerdeviceencryption.exe\\\" OR process_name=\\\"bitlockerwizard.exe\\\" OR process_name=\\\"bitlockerwizardelev.exe\\\" OR process_name=\\\"bytecodegenerator.exe\\\" OR process_name=\\\"camerasettingsuihost.exe\\\" OR process_name=\\\"castsrv.exe\\\" OR process_name=\\\"certenrollctrl.exe\\\" OR process_name=\\\"checknetisolation.exe\\\" OR process_name=\\\"clipup.exe\\\" OR process_name=\\\"cloudexperiencehostbroker.exe\\\" OR process_name=\\\"cloudnotifications.exe\\\" OR process_name=\\\"cloudstoragewizard.exe\\\" OR process_name=\\\"compmgmtlauncher.exe\\\" OR process_name=\\\"compattelrunner.exe\\\" OR process_name=\\\"computerdefaults.exe\\\" OR process_name=\\\"credentialuibroker.exe\\\" OR process_name=\\\"dfdwiz.exe\\\" OR process_name=\\\"dwwin.exe\\\" OR process_name=\\\"dataexchangehost.exe\\\" OR process_name=\\\"defrag.exe\\\" OR process_name=\\\"devicedisplayobjectprovider.exe\\\" OR process_name=\\\"deviceeject.exe\\\" OR process_name=\\\"deviceenroller.exe\\\" OR process_name=\\\"devicepairingwizard.exe\\\" OR process_name=\\\"deviceproperties.exe\\\" OR process_name=\\\"disksnapshot.exe\\\" OR process_name=\\\"dism.exe\\\" OR process_name=\\\"displayswitch.exe\\\" OR process_name=\\\"dmnotificationbroker.exe\\\" OR process_name=\\\"dmomacpmo.exe\\\" OR process_name=\\\"dpiscaling.exe\\\" OR process_name=\\\"dsmusertask.exe\\\" OR process_name=\\\"dxpserver.exe\\\" OR process_name=\\\"edpcleanup.exe\\\" OR process_name=\\\"eosnotify.exe\\\" OR process_name=\\\"eap3host.exe\\\" OR process_name=\\\"easpoliciesbrokerhost.exe\\\" OR process_name=\\\"easeofaccessdialog.exe\\\" OR process_name=\\\"ehstorauthn.exe\\\" OR process_name=\\\"fxscover.exe\\\" OR process_name=\\\"fxssvc.exe\\\" OR process_name=\\\"fxsunatd.exe\\\" OR process_name=\\\"filehistory.exe\\\" OR process_name=\\\"fondue.exe\\\" OR process_name=\\\"gamepanel.exe\\\" OR process_name=\\\"genvalobj.exe\\\" OR process_name=\\\"gettingstarted.exe\\\" OR process_name=\\\"hostname.exe\\\" OR process_name=\\\"icsentitlementhost.exe\\\" OR process_name=\\\"infdefaultinstall.exe\\\" OR process_name=\\\"installagent.exe\\\" OR process_name=\\\"languagecomponentsinstallercomhandler.exe\\\" OR process_name=\\\"launchtm.exe\\\" OR process_name=\\\"launchwinapp.exe\\\" OR process_name=\\\"legacynetuxhost.exe\\\" OR process_name=\\\"licensemanagershellext.exe\\\" OR process_name=\\\"licensingui.exe\\\" OR process_name=\\\"locationnotificationwindows.exe\\\" OR process_name=\\\"locationnotifications.exe\\\" OR process_name=\\\"locator.exe\\\" OR process_name=\\\"lockapphost.exe\\\" OR process_name=\\\"lockscreencontentserver.exe\\\" OR process_name=\\\"logonui.exe\\\" OR process_name=\\\"lsaiso.exe\\\" OR process_name=\\\"mdeserver.exe\\\" OR process_name=\\\"mdmagent.exe\\\" OR process_name=\\\"mdmappinstaller.exe\\\" OR process_name=\\\"mrinfo.exe\\\" OR process_name=\\\"mrt.exe\\\" OR process_name=\\\"mschedexe.exe\\\" OR process_name=\\\"magnify.exe\\\" OR process_name=\\\"mbaeparsertask.exe\\\" OR process_name=\\\"mdres.exe\\\" OR process_name=\\\"mdsched.exe\\\" OR process_name=\\\"migautoplay.exe\\\" OR process_name=\\\"mpsigstub.exe\\\" OR process_name=\\\"msspellcheckinghost.exe\\\" OR process_name=\\\"muiunattend.exe\\\" OR process_name=\\\"multidigimon.exe\\\" OR process_name=\\\"musnotification.exe\\\" OR process_name=\\\"musnotificationux.exe\\\" OR process_name=\\\"napstat.exe\\\" OR process_name=\\\"netstat.exe\\\" OR process_name=\\\"narrator.exe\\\" OR process_name=\\\"netcfgnotifyobjecthost.exe\\\" OR process_name=\\\"netevtfwdr.exe\\\" OR process_name=\\\"netproj.exe\\\" OR process_name=\\\"netplwiz.exe\\\" OR process_name=\\\"networkuxbroker.exe\\\" OR process_name=\\\"openwith.exe\\\" OR process_name=\\\"optionalfeatures.exe\\\" OR process_name=\\\"pathping.exe\\\" OR process_name=\\\"ping.exe\\\" OR process_name=\\\"passwordonwakesettingflyout.exe\\\" OR process_name=\\\"pickerhost.exe\\\" OR process_name=\\\"pkgmgr.exe\\\" OR process_name=\\\"pnpunattend.exe\\\" OR process_name=\\\"pnputil.exe\\\" OR process_name=\\\"presentationhost.exe\\\" OR process_name=\\\"presentationsettings.exe\\\" OR process_name=\\\"printbrmui.exe\\\" OR process_name=\\\"printdialoghost.exe\\\" OR process_name=\\\"printdialoghost3d.exe\\\" OR process_name=\\\"printisolationhost.exe\\\" OR process_name=\\\"proximityuxhost.exe\\\" OR process_name=\\\"rdspnf.exe\\\" OR process_name=\\\"rmactivate.exe\\\" OR process_name=\\\"rmactivate_isv.exe\\\" OR process_name=\\\"rmactivate_ssp.exe\\\" OR process_name=\\\"rmactivate_ssp_isv.exe\\\" OR process_name=\\\"route.exe\\\" OR process_name=\\\"rdpsa.exe\\\" OR process_name=\\\"rdpsaproxy.exe\\\" OR process_name=\\\"rdpsauachelper.exe\\\" OR process_name=\\\"reagentc.exe\\\" OR process_name=\\\"recoverydrive.exe\\\" OR process_name=\\\"register-cimprovider.exe\\\" OR process_name=\\\"registeriepkeys.exe\\\" OR process_name=\\\"relpost.exe\\\" OR process_name=\\\"remoteposworker.exe\\\" OR process_name=\\\"rmclient.exe\\\" OR process_name=\\\"robocopy.exe\\\" OR process_name=\\\"rpcping.exe\\\" OR process_name=\\\"runlegacycplelevated.exe\\\" OR process_name=\\\"runtimebroker.exe\\\" OR process_name=\\\"sihclient.exe\\\" OR process_name=\\\"searchfilterhost.exe\\\" OR process_name=\\\"searchindexer.exe\\\" OR process_name=\\\"searchprotocolhost.exe\\\" OR process_name=\\\"secedit.exe\\\" OR process_name=\\\"sensordataservice.exe\\\" OR process_name=\\\"setieinstalleddate.exe\\\" OR process_name=\\\"settingsynchost.exe\\\" OR process_name=\\\"slidetoshutdown.exe\\\" OR process_name=\\\"smartscreensettings.exe\\\" OR process_name=\\\"sndvol.exe\\\" OR process_name=\\\"snippingtool.exe\\\" OR process_name=\\\"soundrecorder.exe\\\" OR process_name=\\\"spaceagent.exe\\\" OR process_name=\\\"sppextcomobj.exe\\\" OR process_name=\\\"srtasks.exe\\\" OR process_name=\\\"stikynot.exe\\\" OR process_name=\\\"synchost.exe\\\" OR process_name=\\\"sysreseterr.exe\\\" OR process_name=\\\"systempropertiesadvanced.exe\\\" OR process_name=\\\"systempropertiescomputername.exe\\\" OR process_name=\\\"systempropertiesdataexecutionprevention.exe\\\" OR process_name=\\\"systempropertieshardware.exe\\\" OR process_name=\\\"systempropertiesperformance.exe\\\" OR process_name=\\\"systempropertiesprotection.exe\\\" OR process_name=\\\"systempropertiesremote.exe\\\" OR process_name=\\\"systemsettingsadminflows.exe\\\" OR process_name=\\\"systemsettingsbroker.exe\\\" OR process_name=\\\"systemsettingsremovedevice.exe\\\" OR process_name=\\\"tcpsvcs.exe\\\" OR process_name=\\\"tracert.exe\\\" OR process_name=\\\"tstheme.exe\\\" OR process_name=\\\"tswbprxy.exe\\\" OR process_name=\\\"tapiunattend.exe\\\" OR process_name=\\\"taskmgr.exe\\\" OR process_name=\\\"thumbnailextractionhost.exe\\\" OR process_name=\\\"tokenbrokercookies.exe\\\" OR process_name=\\\"tpminit.exe\\\" OR process_name=\\\"tswpfwrp.exe\\\" OR process_name=\\\"ui0detect.exe\\\" OR process_name=\\\"upgraderesultsui.exe\\\" OR process_name=\\\"useraccountbroker.exe\\\" OR process_name=\\\"useraccountcontrolsettings.exe\\\" OR process_name=\\\"usoclient.exe\\\" OR process_name=\\\"utilman.exe\\\" OR process_name=\\\"vssvc.exe\\\" OR process_name=\\\"vaultcmd.exe\\\" OR process_name=\\\"vaultsysui.exe\\\" OR process_name=\\\"wfs.exe\\\" OR process_name=\\\"wmpdmc.exe\\\" OR process_name=\\\"wpdshextautoplay.exe\\\" OR process_name=\\\"wscollect.exe\\\" OR process_name=\\\"wsmanhttpconfig.exe\\\" OR process_name=\\\"wsreset.exe\\\" OR process_name=\\\"wudfhost.exe\\\" OR process_name=\\\"wwahost.exe\\\" OR process_name=\\\"wallpaperhost.exe\\\" OR process_name=\\\"webcache.exe\\\" OR process_name=\\\"werfault.exe\\\" OR process_name=\\\"werfaultsecure.exe\\\" OR process_name=\\\"winsat.exe\\\" OR process_name=\\\"windows.media.backgroundplayback.exe\\\" OR process_name=\\\"windowsactiondialog.exe\\\" OR process_name=\\\"windowsanytimeupgrade.exe\\\" OR process_name=\\\"windowsanytimeupgraderesults.exe\\\" OR process_name=\\\"windowsanytimeupgradeui.exe\\\" OR process_name=\\\"windowsupdateelevatedinstaller.exe\\\" OR process_name=\\\"workfolders.exe\\\" OR process_name=\\\"wpcmon.exe\\\" OR process_name=\\\"acu.exe\\\" OR process_name=\\\"aitagent.exe\\\" OR process_name=\\\"aitstatic.exe\\\" OR process_name=\\\"alg.exe\\\" OR process_name=\\\"appidcertstorecheck.exe\\\" OR process_name=\\\"appidpolicyconverter.exe\\\" OR process_name=\\\"at.exe\\\" OR process_name=\\\"attrib.exe\\\" OR process_name=\\\"audiodg.exe\\\" OR process_name=\\\"auditpol.exe\\\" OR process_name=\\\"autochk.exe\\\" OR process_name=\\\"autoconv.exe\\\" OR process_name=\\\"autofmt.exe\\\" OR process_name=\\\"baaupdate.exe\\\" OR process_name=\\\"backgroundtaskhost.exe\\\" OR process_name=\\\"bcastdvr.exe\\\" OR process_name=\\\"bcdboot.exe\\\" OR process_name=\\\"bcdedit.exe\\\" OR process_name=\\\"bdechangepin.exe\\\" OR process_name=\\\"bdeunlock.exe\\\" OR process_name=\\\"bitsadmin.exe\\\" OR process_name=\\\"bootcfg.exe\\\" OR process_name=\\\"bootim.exe\\\" OR process_name=\\\"bootsect.exe\\\" OR process_name=\\\"bridgeunattend.exe\\\" OR process_name=\\\"browser_broker.exe\\\" OR process_name=\\\"bthudtask.exe\\\" OR process_name=\\\"cacls.exe\\\" OR process_name=\\\"calc.exe\\\" OR process_name=\\\"cdpreference.exe\\\" OR process_name=\\\"certreq.exe\\\" OR process_name=\\\"certutil.exe\\\" OR process_name=\\\"change.exe\\\" OR process_name=\\\"changepk.exe\\\" OR process_name=\\\"charmap.exe\\\" OR process_name=\\\"chglogon.exe\\\" OR process_name=\\\"chgport.exe\\\" OR process_name=\\\"chgusr.exe\\\" OR process_name=\\\"chkdsk.exe\\\" OR process_name=\\\"chkntfs.exe\\\" OR process_name=\\\"choice.exe\\\" OR process_name=\\\"cipher.exe\\\" OR process_name=\\\"cleanmgr.exe\\\" OR process_name=\\\"cliconfg.exe\\\" OR process_name=\\\"clip.exe\\\" OR process_name=\\\"cmd.exe\\\" OR process_name=\\\"cmdkey.exe\\\" OR process_name=\\\"cmdl32.exe\\\" OR process_name=\\\"cmmon32.exe\\\" OR process_name=\\\"cmstp.exe\\\" OR process_name=\\\"cofire.exe\\\" OR process_name=\\\"colorcpl.exe\\\" OR process_name=\\\"comp.exe\\\" OR process_name=\\\"compact.exe\\\" OR process_name=\\\"conhost.exe\\\" OR process_name=\\\"consent.exe\\\" OR process_name=\\\"control.exe\\\" OR process_name=\\\"convert.exe\\\" OR process_name=\\\"credwiz.exe\\\" OR process_name=\\\"cscript.exe\\\" OR process_name=\\\"csrss.exe\\\" OR process_name=\\\"ctfmon.exe\\\" OR process_name=\\\"cttune.exe\\\" OR process_name=\\\"cttunesvr.exe\\\" OR process_name=\\\"dashost.exe\\\" OR process_name=\\\"dccw.exe\\\" OR process_name=\\\"dcomcnfg.exe\\\" OR process_name=\\\"ddodiag.exe\\\" OR process_name=\\\"dfrgui.exe\\\" OR process_name=\\\"dialer.exe\\\" OR process_name=\\\"diantz.exe\\\" OR process_name=\\\"dinotify.exe\\\" OR process_name=\\\"diskpart.exe\\\" OR process_name=\\\"diskperf.exe\\\" OR process_name=\\\"diskraid.exe\\\" OR process_name=\\\"dispdiag.exe\\\" OR process_name=\\\"djoin.exe\\\" OR process_name=\\\"dllhost.exe\\\" OR process_name=\\\"dllhst3g.exe\\\" OR process_name=\\\"dmcertinst.exe\\\" OR process_name=\\\"dmcfghost.exe\\\" OR process_name=\\\"dmclient.exe\\\" OR process_name=\\\"dnscacheugc.exe\\\" OR process_name=\\\"doskey.exe\\\" OR process_name=\\\"dpapimig.exe\\\" OR process_name=\\\"dpnsvr.exe\\\" OR process_name=\\\"driverquery.exe\\\" OR process_name=\\\"drvcfg.exe\\\" OR process_name=\\\"drvinst.exe\\\" OR process_name=\\\"dsregcmd.exe\\\" OR process_name=\\\"dstokenclean.exe\\\" OR process_name=\\\"dvdplay.exe\\\" OR process_name=\\\"dvdupgrd.exe\\\" OR process_name=\\\"dwm.exe\\\" OR process_name=\\\"dxdiag.exe\\\" OR process_name=\\\"easinvoker.exe\\\" OR process_name=\\\"efsui.exe\\\" OR process_name=\\\"embeddedapplauncher.exe\\\" OR process_name=\\\"esentutl.exe\\\" OR process_name=\\\"eudcedit.exe\\\" OR process_name=\\\"eventcreate.exe\\\" OR process_name=\\\"eventvwr.exe\\\" OR process_name=\\\"expand.exe\\\" OR process_name=\\\"extrac32.exe\\\" OR process_name=\\\"fc.exe\\\" OR process_name=\\\"fhmanagew.exe\\\" OR process_name=\\\"find.exe\\\" OR process_name=\\\"findstr.exe\\\" OR process_name=\\\"finger.exe\\\" OR process_name=\\\"fixmapi.exe\\\" OR process_name=\\\"fltmc.exe\\\" OR process_name=\\\"fodhelper.exe\\\" OR process_name=\\\"fontdrvhost.exe\\\" OR process_name=\\\"fontview.exe\\\" OR process_name=\\\"forfiles.exe\\\" OR process_name=\\\"fsavailux.exe\\\" OR process_name=\\\"fsquirt.exe\\\" OR process_name=\\\"fsutil.exe\\\" OR process_name=\\\"ftp.exe\\\" OR process_name=\\\"fvenotify.exe\\\" OR process_name=\\\"fveprompt.exe\\\" OR process_name=\\\"getmac.exe\\\" OR process_name=\\\"gpresult.exe\\\" OR process_name=\\\"gpscript.exe\\\" OR process_name=\\\"gpupdate.exe\\\" OR process_name=\\\"grpconv.exe\\\" OR process_name=\\\"hdwwiz.exe\\\" OR process_name=\\\"help.exe\\\" OR process_name=\\\"hwrcomp.exe\\\" OR process_name=\\\"hwrreg.exe\\\" OR process_name=\\\"icacls.exe\\\" OR process_name=\\\"icardagt.exe\\\" OR process_name=\\\"icsunattend.exe\\\" OR process_name=\\\"ie4uinit.exe\\\" OR process_name=\\\"ieunatt.exe\\\" OR process_name=\\\"ieetwcollector.exe\\\" OR process_name=\\\"iexpress.exe\\\" OR process_name=\\\"immersivetpmvscmgrsvr.exe\\\" OR process_name=\\\"ipconfig.exe\\\" OR process_name=\\\"irftp.exe\\\" OR process_name=\\\"iscsicli.exe\\\" OR process_name=\\\"iscsicpl.exe\\\" OR process_name=\\\"isoburn.exe\\\" OR process_name=\\\"klist.exe\\\" OR process_name=\\\"ksetup.exe\\\" OR process_name=\\\"ktmutil.exe\\\" OR process_name=\\\"label.exe\\\" OR process_name=\\\"licensingdiag.exe\\\" OR process_name=\\\"lodctr.exe\\\" OR process_name=\\\"logagent.exe\\\" OR process_name=\\\"logman.exe\\\" OR process_name=\\\"logoff.exe\\\" OR process_name=\\\"lpkinstall.exe\\\" OR process_name=\\\"lpksetup.exe\\\" OR process_name=\\\"lpremove.exe\\\" OR process_name=\\\"lsass.exe\\\" OR process_name=\\\"lsm.exe\\\" OR process_name=\\\"makecab.exe\\\" OR process_name=\\\"manage-bde.exe\\\" OR process_name=\\\"mblctr.exe\\\" OR process_name=\\\"mcbuilder.exe\\\" OR process_name=\\\"mctadmin.exe\\\" OR process_name=\\\"mfpmp.exe\\\" OR process_name=\\\"mmc.exe\\\" OR process_name=\\\"mobsync.exe\\\" OR process_name=\\\"mountvol.exe\\\" OR process_name=\\\"mpnotify.exe\\\" OR process_name=\\\"msconfig.exe\\\" OR process_name=\\\"msdt.exe\\\" OR process_name=\\\"msdtc.exe\\\" OR process_name=\\\"msfeedssync.exe\\\" OR process_name=\\\"msg.exe\\\" OR process_name=\\\"mshta.exe\\\" OR process_name=\\\"msiexec.exe\\\" OR process_name=\\\"msinfo32.exe\\\" OR process_name=\\\"mspaint.exe\\\" OR process_name=\\\"msra.exe\\\" OR process_name=\\\"mstsc.exe\\\" OR process_name=\\\"mtstocom.exe\\\" OR process_name=\\\"nbtstat.exe\\\" OR process_name=\\\"ndadmin.exe\\\" OR process_name=\\\"net.exe\\\" OR process_name=\\\"net1.exe\\\" OR process_name=\\\"netbtugc.exe\\\" OR process_name=\\\"netcfg.exe\\\" OR process_name=\\\"netiougc.exe\\\" OR process_name=\\\"netsh.exe\\\" OR process_name=\\\"newdev.exe\\\" OR process_name=\\\"nltest.exe\\\" OR process_name=\\\"notepad.exe\\\" OR process_name=\\\"nslookup.exe\\\" OR process_name=\\\"ntoskrnl.exe\\\" OR process_name=\\\"ntprint.exe\\\" OR process_name=\\\"ocsetup.exe\\\" OR process_name=\\\"odbcad32.exe\\\" OR process_name=\\\"odbcconf.exe\\\" OR process_name=\\\"omadmclient.exe\\\" OR process_name=\\\"omadmprc.exe\\\" OR process_name=\\\"openfiles.exe\\\" OR process_name=\\\"osk.exe\\\" OR process_name=\\\"p2phost.exe\\\" OR process_name=\\\"pcalua.exe\\\" OR process_name=\\\"pcaui.exe\\\" OR process_name=\\\"pcawrk.exe\\\" OR process_name=\\\"pcwrun.exe\\\" OR process_name=\\\"perfmon.exe\\\" OR process_name=\\\"phoneactivate.exe\\\" OR process_name=\\\"plasrv.exe\\\" OR process_name=\\\"poqexec.exe\\\" OR process_name=\\\"powercfg.exe\\\" OR process_name=\\\"prevhost.exe\\\" OR process_name=\\\"print.exe\\\" OR process_name=\\\"printfilterpipelinesvc.exe\\\" OR process_name=\\\"printui.exe\\\" OR process_name=\\\"proquota.exe\\\" OR process_name=\\\"provtool.exe\\\" OR process_name=\\\"psr.exe\\\" OR process_name=\\\"pwlauncher.exe\\\" OR process_name=\\\"qappsrv.exe\\\" OR process_name=\\\"qprocess.exe\\\" OR process_name=\\\"query.exe\\\" OR process_name=\\\"quser.exe\\\" OR process_name=\\\"qwinsta.exe\\\" OR process_name=\\\"rasautou.exe\\\" OR process_name=\\\"rasdial.exe\\\" OR process_name=\\\"raserver.exe\\\" OR process_name=\\\"rasphone.exe\\\" OR process_name=\\\"rdpclip.exe\\\" OR process_name=\\\"rdpinput.exe\\\" OR process_name=\\\"rdrleakdiag.exe\\\" OR process_name=\\\"recdisc.exe\\\" OR process_name=\\\"recover.exe\\\" OR process_name=\\\"reg.exe\\\" OR process_name=\\\"regedt32.exe\\\" OR process_name=\\\"regini.exe\\\" OR process_name=\\\"regsvr32.exe\\\" OR process_name=\\\"rekeywiz.exe\\\" OR process_name=\\\"relog.exe\\\" OR process_name=\\\"repair-bde.exe\\\" OR process_name=\\\"replace.exe\\\" OR process_name=\\\"reset.exe\\\" OR process_name=\\\"resmon.exe\\\" OR process_name=\\\"rmttpmvscmgrsvr.exe\\\" OR process_name=\\\"rrinstaller.exe\\\" OR process_name=\\\"rstrui.exe\\\" OR process_name=\\\"runas.exe\\\" OR process_name=\\\"rundll32.exe\\\" OR process_name=\\\"runonce.exe\\\" OR process_name=\\\"rwinsta.exe\\\" OR process_name=\\\"sbunattend.exe\\\" OR process_name=\\\"sc.exe\\\" OR process_name=\\\"schtasks.exe\\\" OR process_name=\\\"sdbinst.exe\\\" OR process_name=\\\"sdchange.exe\\\" OR process_name=\\\"sdclt.exe\\\" OR process_name=\\\"sdiagnhost.exe\\\" OR process_name=\\\"secinit.exe\\\" OR process_name=\\\"services.exe\\\" OR process_name=\\\"sessionmsg.exe\\\" OR process_name=\\\"sethc.exe\\\" OR process_name=\\\"setspn.exe\\\" OR process_name=\\\"setupcl.exe\\\" OR process_name=\\\"setupugc.exe\\\" OR process_name=\\\"setx.exe\\\" OR process_name=\\\"sfc.exe\\\" OR process_name=\\\"shadow.exe\\\" OR process_name=\\\"shrpubw.exe\\\" OR process_name=\\\"shutdown.exe\\\" OR process_name=\\\"sigverif.exe\\\" OR process_name=\\\"sihost.exe\\\" OR process_name=\\\"slui.exe\\\" OR process_name=\\\"smss.exe\\\" OR process_name=\\\"snmptrap.exe\\\" OR process_name=\\\"sort.exe\\\" OR process_name=\\\"spinstall.exe\\\" OR process_name=\\\"spoolsv.exe\\\" OR process_name=\\\"sppsvc.exe\\\" OR process_name=\\\"spreview.exe\\\" OR process_name=\\\"srdelayed.exe\\\" OR process_name=\\\"subst.exe\\\" OR process_name=\\\"svchost.exe\\\" OR process_name=\\\"sxstrace.exe\\\" OR process_name=\\\"syskey.exe\\\" OR process_name=\\\"systeminfo.exe\\\" OR process_name=\\\"systemreset.exe\\\" OR process_name=\\\"systray.exe\\\" OR process_name=\\\"tabcal.exe\\\" OR process_name=\\\"takeown.exe\\\" OR process_name=\\\"taskeng.exe\\\" OR process_name=\\\"taskhost.exe\\\" OR process_name=\\\"taskhostw.exe\\\" OR process_name=\\\"taskkill.exe\\\" OR process_name=\\\"tasklist.exe\\\" OR process_name=\\\"taskmgr.exe\\\" OR process_name=\\\"tcmsetup.exe\\\" OR process_name=\\\"timeout.exe\\\" OR process_name=\\\"tpmvscmgr.exe\\\" OR process_name=\\\"tpmvscmgrsvr.exe\\\" OR process_name=\\\"tracerpt.exe\\\" OR process_name=\\\"tscon.exe\\\" OR process_name=\\\"tsdiscon.exe\\\" OR process_name=\\\"tskill.exe\\\" OR process_name=\\\"typeperf.exe\\\" OR process_name=\\\"tzsync.exe\\\" OR process_name=\\\"tzutil.exe\\\" OR process_name=\\\"ucsvc.exe\\\" OR process_name=\\\"unlodctr.exe\\\" OR process_name=\\\"unregmp2.exe\\\" OR process_name=\\\"upnpcont.exe\\\" OR process_name=\\\"userinit.exe\\\" OR process_name=\\\"vds.exe\\\" OR process_name=\\\"vdsldr.exe\\\" OR process_name=\\\"verclsid.exe\\\" OR process_name=\\\"verifier.exe\\\" OR process_name=\\\"verifiergui.exe\\\" OR process_name=\\\"vmicsvc.exe\\\" OR process_name=\\\"vssadmin.exe\\\" OR process_name=\\\"w32tm.exe\\\" OR process_name=\\\"waitfor.exe\\\" OR process_name=\\\"wbadmin.exe\\\" OR process_name=\\\"wbengine.exe\\\" OR process_name=\\\"wecutil.exe\\\" OR process_name=\\\"wermgr.exe\\\" OR process_name=\\\"wevtutil.exe\\\" OR process_name=\\\"wextract.exe\\\" OR process_name=\\\"where.exe\\\" OR process_name=\\\"whoami.exe\\\" OR process_name=\\\"wiaacmgr.exe\\\" OR process_name=\\\"wiawow64.exe\\\" OR process_name=\\\"wifitask.exe\\\" OR process_name=\\\"wimserv.exe\\\" OR process_name=\\\"wininit.exe\\\" OR process_name=\\\"winload.exe\\\" OR process_name=\\\"winlogon.exe\\\" OR process_name=\\\"winresume.exe\\\" OR process_name=\\\"winrs.exe\\\" OR process_name=\\\"winrshost.exe\\\" OR process_name=\\\"winver.exe\\\" OR process_name=\\\"wisptis.exe\\\" OR process_name=\\\"wkspbroker.exe\\\" OR process_name=\\\"wksprt.exe\\\" OR process_name=\\\"wlanext.exe\\\" OR process_name=\\\"wlrmdr.exe\\\" OR process_name=\\\"wowreg32.exe\\\" OR process_name=\\\"wpnpinst.exe\\\" OR process_name=\\\"wpr.exe\\\" OR process_name=\\\"write.exe\\\" OR process_name=\\\"wscript.exe\\\" OR process_name=\\\"wsmprovhost.exe\\\" OR process_name=\\\"wsqmcons.exe\\\" OR process_name=\\\"wuapihost.exe\\\" OR process_name=\\\"wuapp.exe\\\" OR process_name=\\\"wuauclt.exe\\\" OR process_name=\\\"wusa.exe\\\" OR process_name=\\\"xcopy.exe\\\" OR process_name=\\\"xpsrchvw.exe\\\" OR process_name=\\\"xwizard.exe\\\" | where process_path!=\\\"c:\\\\\\\\windows\\\\\\\\system32\\\" AND process_path!=\\\"c:\\\\\\\\windows\\\\\\\\syswow64\\\" | eval start_time = timestamp, end_time = timestamp, entities = mvappend(device), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"known_false_positives\": \"None\",\n \"tags\": {\n \"mitre_technique_id\": [\n \"T1036\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"risk_severity\": \"low\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"System Processes Run From Unexpected Locations\",\n \"id\": \"a34aae96-ccf8-4aef-952c-3ea21444444d\",\n \"version\": 5,\n \"date\": \"2020-02-04\",\n \"description\": \"This search looks for system processes that normally run out of C:\\\\Windows\\\\System32\\\\ or C:\\\\Windows\\\\SysWOW64 that are not run from that location. This can indicate a malicious process that is trying to hide as a legitimate process.\",\n \"how_to_implement\": \"To successfully implement this search you need to ingest details about process execution from your hosts. Specifically, this search requires the process name and the full path to the process executable.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !=\\\"C:\\\\\\\\Windows\\\\\\\\System32*\\\" Processes.process_path !=\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64*\\\" by Processes.user Processes.dest Processes.process_name Processes.process_id Processes.process_path Processes.parent_process_name Processes.process_hash| `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file` | `system_processes_run_from_unexpected_locations_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true\",\n \"description\": \"This macro limits the output to process names that are in the Windows System directory\",\n \"name\": \"is_windows_system_file\"\n },\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"system_processes_run_from_unexpected_locations_filter\"\n }\n ]\n },\n {\n \"name\": \"Uncommon Processes On Endpoint\",\n \"id\": \"29ccce64-a10c-4389-a45f-337cb29ba1f7\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for applications on the endpoint that you have marked as uncommon.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. This search uses a lookup file `uncommon_processes_default.csv` to track various features of process names that are usually uncommon in most environments. Please consider updating `uncommon_processes_local.csv` to hunt for processes that are uncommon in your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter` \",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Privilege Escalation\",\n \"Unusual Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1204.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Malicious File\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"Windshift\",\n \"APT33\",\n \"Sandworm Team\",\n \"Naikon\",\n \"Whitefly\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Mofang\",\n \"Frankenstein\",\n \"RTM\",\n \"Inception\",\n \"BlackTech\",\n \"APT-C-36\",\n \"Machete\",\n \"admin@338\",\n \"APT12\",\n \"TA505\",\n \"Silence\",\n \"The White Company\",\n \"APT39\",\n \"FIN4\",\n \"Darkhotel\",\n \"Gallmaker\",\n \"APT19\",\n \"Dragonfly 2.0\",\n \"BRONZE BUTLER\",\n \"Cobalt Group\",\n \"DarkHydrus\",\n \"Gorgon Group\",\n \"Patchwork\",\n \"OilRig\",\n \"Dark Caracal\",\n \"MuddyWater\",\n \"Lazarus Group\",\n \"FIN7\",\n \"APT32\",\n \"Rancor\",\n \"APT37\",\n \"FIN8\",\n \"APT28\",\n \"Elderwood\",\n \"TA459\",\n \"APT29\",\n \"Leviathan\",\n \"menuPass\",\n \"PLATINUM\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true\",\n \"description\": \"This macro limits the output to processes that have been marked as uncommon\",\n \"name\": \"uncommon_processes\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"uncommon_processes_on_endpoint_filter\"\n }\n ]\n },\n {\n \"name\": \"Unload Sysmon Filter Driver\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f665664g9f\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"Attackers often disable security tools to avoid detection. This search looks for the usage of process `fltMC.exe` to unload a Sysmon Driver that will stop sysmon from collecting the data.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. This search is also shipped with `unload_sysmon_filter_driver_filter` macro, update this macro to filter out false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`unload_sysmon_filter_driver_filter`| table firstTime lastTime dest user count process_name process_id parent_process_name process\",\n \"known_false_positives\": \"\",\n \"tags\": {\n \"analytics_story\": [\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1562.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [\n \"Disable or Modify Tools\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"BRONZE BUTLER\",\n \"Rocke\",\n \"Kimsuky\",\n \"Turla\",\n \"Night Dragon\",\n \"Gorgon Group\",\n \"Lazarus Group\",\n \"Putter Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unload_sysmon_filter_driver_filter\"\n }\n ]\n },\n {\n \"name\": \"Unsigned Image Loaded by LSASS\",\n \"id\": \"56ef054c-76ef-45f9-af4a-a634695dcd65\",\n \"version\": 1,\n \"date\": \"2019-12-06\",\n \"description\": \"This search detects loading of unsigned images by LSASS.\",\n \"how_to_implement\": \"This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by Computer, Image, ImageLoaded, Signed, SHA1 | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter` \",\n \"known_false_positives\": \"Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unsigned_image_loaded_by_lsass_filter\"\n }\n ]\n },\n {\n \"name\": \"Unsuccessful Netbackup backups\",\n \"id\": \"a34aae96-ccf8-4aaa-952c-3ea21444444f\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This search gives you the hosts where a backup was attempted and then failed.\",\n \"how_to_implement\": \"To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE=\\\"An error occurred, failed to backup.\\\" | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor Backup Solution\"\n ],\n \"cis20\": [\n \"CIS 10\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Monitor Successful Backups\",\n \"id\": \"b4d0dfb2-2195-4f6e-93a3-48468ed9734e\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This search is intended to give you a feel for how often successful backups are conducted in your environment. Fluctuations in these numbers will allow you to determine when you should investigate.\",\n \"how_to_implement\": \"To successfully implement this search you must be ingesting your backup logs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`netbackup` \\\"Disk/Partition backup completed successfully.\\\" | bucket _time span=1d | stats dc(COMPUTERNAME) as count values(COMPUTERNAME) as dest by _time, MESSAGE\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor Backup Solution\"\n ],\n \"detections\": [\n \"Unsuccessful Netbackup backups\"\n ]\n }\n },\n {\n \"name\": \"Monitor Unsuccessful Backups\",\n \"id\": \"b2178fed-592f-492b-b851-74161678aa56\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This search is intended to give you a feel for how often backup failures happen in your environments. Fluctuations in these numbers will allow you to determine when you should investigate.\",\n \"how_to_implement\": \"To successfully implement this search you must be ingesting your backup logs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`netbackup` \\\"An error occurred, failed to backup.\\\" | bucket _time span=1d | stats dc(COMPUTERNAME) as count values(COMPUTERNAME) as dest by _time, MESSAGE\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor Backup Solution\"\n ],\n \"detections\": [\n \"Unsuccessful Netbackup backups\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=\\\"netbackup_logs\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"netbackup\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unsuccessful_netbackup_backups_filter\"\n }\n ]\n },\n {\n \"name\": \"More than usual number of LOLBAS applications in short time period - SSA\",\n \"id\": \"59c0dd70-169c-4900-9a1f-bfcf13302f93\",\n \"version\": 1,\n \"date\": \"2020-08-25\",\n \"description\": \"Attacker activity may compromise executing several LOLBAS applications in conjunction to accomplish their objectives. We are looking for more than usual LOLBAS applications over a window of time, by building profiles per machine.\",\n \"how_to_implement\": \"Collect endpoint data such as sysmon or 4688 events.\",\n \"references\": [\n \"https://github.com/LOLBAS-Project/LOLBAS/tree/master/yml/OSBinaries\"\n ],\n \"type\": \"SSA\",\n \"author\": \"Ignacio Bermudez Corrales, Splunk\",\n \"search\": \" | from read_ssa_enriched_events() | eval device=ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null), process_name=lower(ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null)), timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)) | where process_name==\\\"regsvcs.exe\\\" OR process_name==\\\"ftp.exe\\\" OR process_name==\\\"dfsvc.exe\\\" OR process_name==\\\"rasautou.exe\\\" OR process_name==\\\"schtasks.exe\\\" OR process_name==\\\"xwizard.exe\\\" OR process_name==\\\"findstr.exe\\\" OR process_name==\\\"esentutl.exe\\\" OR process_name==\\\"cscript.exe\\\" OR process_name==\\\"reg.exe\\\" OR process_name==\\\"csc.exe\\\" OR process_name==\\\"atbroker.exe\\\" OR process_name==\\\"print.exe\\\" OR process_name==\\\"pcwrun.exe\\\" OR process_name==\\\"vbc.exe\\\" OR process_name==\\\"rpcping.exe\\\" OR process_name==\\\"wsreset.exe\\\" OR process_name==\\\"ilasm.exe\\\" OR process_name==\\\"certutil.exe\\\" OR process_name==\\\"replace.exe\\\" OR process_name==\\\"mshta.exe\\\" OR process_name==\\\"bitsadmin.exe\\\" OR process_name==\\\"wscript.exe\\\" OR process_name==\\\"ieexec.exe\\\" OR process_name==\\\"cmd.exe\\\" OR process_name==\\\"microsoft.workflow.compiler.exe\\\" OR process_name==\\\"runscripthelper.exe\\\" OR process_name==\\\"makecab.exe\\\" OR process_name==\\\"forfiles.exe\\\" OR process_name==\\\"desktopimgdownldr.exe\\\" OR process_name==\\\"control.exe\\\" OR process_name==\\\"msbuild.exe\\\" OR process_name==\\\"register-cimprovider.exe\\\" OR process_name==\\\"tttracer.exe\\\" OR process_name==\\\"ie4uinit.exe\\\" OR process_name==\\\"sc.exe\\\" OR process_name==\\\"bash.exe\\\" OR process_name==\\\"hh.exe\\\" OR process_name==\\\"cmstp.exe\\\" OR process_name==\\\"mmc.exe\\\" OR process_name==\\\"jsc.exe\\\" OR process_name==\\\"scriptrunner.exe\\\" OR process_name==\\\"odbcconf.exe\\\" OR process_name==\\\"extexport.exe\\\" OR process_name==\\\"msdt.exe\\\" OR process_name==\\\"diskshadow.exe\\\" OR process_name==\\\"extrac32.exe\\\" OR process_name==\\\"eventvwr.exe\\\" OR process_name==\\\"mavinject.exe\\\" OR process_name==\\\"regasm.exe\\\" OR process_name==\\\"gpscript.exe\\\" OR process_name==\\\"rundll32.exe\\\" OR process_name==\\\"regsvr32.exe\\\" OR process_name==\\\"regedit.exe\\\" OR process_name==\\\"msiexec.exe\\\" OR process_name==\\\"gfxdownloadwrapper.exe\\\" OR process_name==\\\"presentationhost.exe\\\" OR process_name==\\\"regini.exe\\\" OR process_name==\\\"wmic.exe\\\" OR process_name==\\\"runonce.exe\\\" OR process_name==\\\"syncappvpublishingserver.exe\\\" OR process_name==\\\"verclsid.exe\\\" OR process_name==\\\"psr.exe\\\" OR process_name==\\\"infdefaultinstall.exe\\\" OR process_name==\\\"explorer.exe\\\" OR process_name==\\\"expand.exe\\\" OR process_name==\\\"installutil.exe\\\" OR process_name==\\\"netsh.exe\\\" OR process_name==\\\"wab.exe\\\" OR process_name==\\\"dnscmd.exe\\\" OR process_name==\\\"at.exe\\\" OR process_name==\\\"pcalua.exe\\\" OR process_name==\\\"cmdkey.exe\\\" OR process_name==\\\"msconfig.exe\\\" | stats count(process_name) as lolbas_counter by device,span(timestamp, 300s) | eval lolbas_counter=lolbas_counter*1.0 | rename window_end as timestamp | adaptive_threshold algorithm=\\\"quantile\\\" value=\\\"lolbas_counter\\\" entity=\\\"device\\\" window=2419200000L | where label AND quantile>0.99 | eval start_time = timestamp, end_time = timestamp, entities = mvappend(device), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"known_false_positives\": \"Some administrative tasks may involve multiple use of LOLBAS applications in a short period of time. This might trigger false positives at the beginning when it hasn't collected yet enough data to construct the baseline.\\n\",\n \"tags\": {\n \"mitre_technique_id\": [\n \"T1059\",\n \"T1053\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"risk_severity\": \"low\",\n \"security_domain\": \"endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"Unusually Long Command Line\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6a4264e7f\",\n \"version\": 4,\n \"date\": \"2020-03-16\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the process field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` | eval threshold = 10 | where maxlen > ((threshold*stdevperhost) + avgperhost)\",\n \"known_false_positives\": \"Some legitimate applications start with long command lines.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_command_line_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Command Line - MLTK\",\n \"id\": \"57edaefa-a73b-45e5-bbae-f39c1473f941\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that monitors command lines and populates the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. In addition, MLTK version >= 4.2 must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of Command Line Length - MLTK\\\" must be executed before this detection search, as it builds an ML model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \\\"IsOutlier(processlen)\\\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`\",\n \"known_false_positives\": \"Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Command Line Length - MLTK\",\n \"id\": \"d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies outliers in the length of the command line.\",\n \"how_to_implement\": \"You must be ingesting endpoint data and populating the Endpoint data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search user!=unknown | `security_content_ctime(start_time)`| `security_content_ctime(end_time)`| eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\",\n \"Unusual Processes\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Unusually Long Command Line - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_command_line___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Command Line - SSA\",\n \"id\": \"58f43aba-1775-445e-b19c-be2b87d83ae3\",\n \"version\": 1,\n \"date\": \"2020-10-06\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Splunk Streaming ML DSP plugin to help identify command lines with lengths that are unusual for a given user. This detection is inspired on Unusually Long Command Line authored by Rico Valdez.\",\n \"how_to_implement\": \"You must be ingesting sysmon endpoint data that monitors command lines.\",\n \"references\": [],\n \"type\": \"SSA\",\n \"author\": \"Ignacio Bermudez Corrales, Splunk\",\n \"search\": \" | from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)) | eval cmd_line=ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null), dest_user_id=ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), dest_device_id=ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null), process_name=ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null) | where cmd_line!=null and dest_user_id!=null | eval cmd_line_norm=replace(cast(cmd_line, \\\"string\\\"), /\\\\s(--?\\\\w+)|(\\\\/\\\\w+)/, \\\" ARG\\\"), cmd_line_norm=replace(cmd_line_norm, /\\\\w:\\\\\\\\[^\\\\s]+/, \\\"PATH\\\"), cmd_line_norm=replace(cmd_line_norm, /\\\\d+/, \\\"N\\\"), input=parse_double(len(coalesce(cmd_line_norm, \\\"\\\"))) | adaptive_threshold algorithm=\\\"quantile\\\" entity=\\\"process_name\\\" window=60480000 | where label AND quantile>0.99 | first_time_event cache_partitions=1 input_columns=\\\"dest_device_id,cmd_line\\\" | where first_time_dest_device_id_cmd_line | eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"known_false_positives\": \"This detection may flag suspiciously long command lines when there is not sufficient evidence (samples) for a given process that this detection is tracking; or when there is high variability in the length of the command line for the tracked process. Also, some legitimate applications may use long command lines. Such is the case of Ansible, that encodes Powershell scripts using long base64. Attackers may use this technique to obfuscate their payloads.\",\n \"tags\": {\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"risk_severity\": \"low\",\n \"security_domain\": \"endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n }\n },\n {\n \"name\": \"Unusually Long Content-Type Length\",\n \"id\": \"57a0a2bf-353f-40c1-84dc-29293f3c35b7\",\n \"version\": 1,\n \"date\": \"2017-10-13\",\n \"description\": \"This search looks for unusually long strings in the Content-Type http header that the client sends the server.\",\n \"how_to_implement\": \"This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`stream_http` | eval cs_content_type_length = len(cs_content_type) | where cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length cs_content_type url | `unusually_long_content_type_length_filter`\",\n \"known_false_positives\": \"Very few legitimate Content-Type fields will have a length greater than 100 characters.\",\n \"tags\": {\n \"analytics_story\": [\n \"Apache Struts Vulnerability\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 4\",\n \"CIS 18\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"RS.MI\",\n \"PR.PT\",\n \"PR.IP\",\n \"DE.AE\",\n \"PR.MA\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Web Server\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_content_type_length_filter\"\n }\n ]\n },\n {\n \"name\": \"USN Journal Deletion\",\n \"id\": \"b6e0ff70-b122-4227-9368-4cf322ab43c3\",\n \"version\": 2,\n \"date\": \"2018-12-03\",\n \"description\": \"The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\\\"*deletejournal*\\\" AND process=\\\"*usn*\\\" | `usn_journal_deletion_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1070\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\",\n \"CIS 10\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.DP\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Indicator Removal on Host\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"usn_journal_deletion_filter\"\n }\n ]\n },\n {\n \"name\": \"Web Servers Executing Suspicious Processes\",\n \"id\": \"ec3b7601-689a-4463-94e0-c9f45638efb9\",\n \"version\": 1,\n \"date\": \"2019-04-01\",\n \"description\": \"This search looks for suspicious processes on all systems labeled as web servers.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. In addition, web servers will need to be identified in the Assets and Identity Framework of Enterprise Security.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category=\\\"web_server\\\" AND (Processes.process=\\\"*whoami*\\\" OR Processes.process=\\\"*ping*\\\" OR Processes.process=\\\"*iptables*\\\" OR Processes.process=\\\"*wget*\\\" OR Processes.process=\\\"*service*\\\" OR Processes.process=\\\"*curl*\\\") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`\",\n \"known_false_positives\": \"Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.\",\n \"tags\": {\n \"analytics_story\": [\n \"Apache Struts Vulnerability\"\n ],\n \"mitre_attack_id\": [\n \"T1082\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Web Server\",\n \"mitre_attack_technique\": [\n \"System Information Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Sandworm Team\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"Inception\",\n \"Kimsuky\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"Honeybee\",\n \"APT19\",\n \"APT37\",\n \"APT32\",\n \"Magic Hound\",\n \"OilRig\",\n \"APT3\",\n \"Sowbug\",\n \"Gamaredon Group\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"admin@338\",\n \"Turla\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"web_servers_executing_suspicious_processes_filter\"\n }\n ]\n },\n {\n \"name\": \"Windows Event Log Cleared\",\n \"id\": \"ad517544-aff9-4c96-bd99-d6eb43bfbb6a\",\n \"version\": 4,\n \"date\": \"2020-07-06\",\n \"description\": \"This search looks for Windows events that indicate one of the Windows event logs has been purged.\",\n \"how_to_implement\": \"To successfully implement this search, you need to be ingesting Windows event logs from your hosts.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"(`wineventlog_security` (EventCode=1102 OR EventCode=1100)) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`\",\n \"known_false_positives\": \"It is possible that these logs may be legitimately cleared by Administrators.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1070.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 6\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"PR.IP\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Clear Windows Event Logs\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT32\",\n \"FIN8\",\n \"FIN5\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"definition\": \"eventtype=wineventlog_system\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_system\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"windows_event_log_cleared_filter\"\n }\n ]\n },\n {\n \"name\": \"Windows hosts file modification\",\n \"id\": \"06a6fc63-a72d-41dc-8736-7e3dd9612116\",\n \"version\": 1,\n \"date\": \"2018-11-02\",\n \"description\": \"The search looks for modifications to the hosts file on all Windows endpoints across your environment.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\\\\\\\System32\\\\\\\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter`\",\n \"known_false_positives\": \"There may be legitimate reasons for system administrators to add entries to this file.\",\n \"tags\": {\n \"analytics_story\": [\n \"Host Redirection\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"windows_hosts_file_modification_filter\"\n }\n ]\n },\n {\n \"name\": \"WMI Permanent Event Subscription\",\n \"id\": \"71bfdb13-f200-4c6c-b2c9-a2e07adf437d\",\n \"version\": 1,\n \"date\": \"2018-10-23\",\n \"description\": \"This search looks for the creation of WMI permanent event subscriptions.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`wmi` EventCode=5861 Binding | rex field=Message \\\"Consumer =\\\\s+(?[^;|^$]+)\\\" | search consumer!=\\\"NTEventLogEventConsumer=\\\\\\\"SCM Event Log Consumer\\\\\\\"\\\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`\",\n \"known_false_positives\": \"Although unlikely, administrators may use event subscriptions for legitimate purposes.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"wineventlog:microsoft-windows-wmi-activity/operational\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wmi\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"wmi_permanent_event_subscription_filter\"\n }\n ]\n },\n {\n \"name\": \"WMI Permanent Event Subscription - Sysmon\",\n \"id\": \"ad05aae6-3b2a-4f73-af97-57bd26cee3b9\",\n \"version\": 1,\n \"date\": \"2018-10-23\",\n \"description\": \"This search looks for the creation of WMI permanent event subscriptions.\",\n \"how_to_implement\": \"To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity. In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`\",\n \"known_false_positives\": \"Although unlikely, administrators may use event subscriptions for legitimate purposes.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"wmi_permanent_event_subscription___sysmon_filter\"\n }\n ]\n },\n {\n \"name\": \"WMI Temporary Event Subscription\",\n \"id\": \"38cbd42c-1098-41bb-99cf-9d6d2b296d83\",\n \"version\": 1,\n \"date\": \"2018-10-23\",\n \"description\": \"This search looks for the creation of WMI temporary event subscriptions.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`wmi` EventCode=5860 Temporary | rex field=Message \\\"NotificationQuery =\\\\s+(?[^;|^$]+)\\\" | search query!=\\\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'\\\" AND query!=\\\"SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'\\\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`\",\n \"known_false_positives\": \"Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"wineventlog:microsoft-windows-wmi-activity/operational\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wmi\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"wmi_temporary_event_subscription_filter\"\n }\n ]\n },\n {\n \"name\": \"Clients Connecting to Multiple DNS Servers\",\n \"id\": \"74ec6f18-604b-4202-a567-86b2066be3ce\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.\",\n \"how_to_implement\": \"This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\\\\\\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** Distinct DNS Connections, **Field:** dest_count\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\\\"Network_Resolution\\\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter` \",\n \"known_false_positives\": \"It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\",\n \"Command and Control\",\n \"Suspicious DNS Traffic\",\n \"Host Redirection\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"APT33\",\n \"Thrip\",\n \"FIN8\",\n \"OilRig\",\n \"Lazarus Group\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"clients_connecting_to_multiple_dns_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect ARP Poisoning\",\n \"id\": \"b44bebd6-bd39-467b-9321-73971bcd7aac\",\n \"version\": 1,\n \"date\": \"2020-08-11\",\n \"description\": \"By enabling Dynamic ARP Inspection as a Layer 2 Security measure on the organization's network devices, we will be able to detect ARP Poisoning attacks in the Infrastructure.\",\n \"how_to_implement\": \"This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum \\\"5 - notification\\\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Mikael Bjerkeland, Splunk\",\n \"search\": \"`cisco_networks` facility=\\\"PM\\\" mnemonic=\\\"ERR_DISABLE\\\" disable_cause=\\\"arp-inspection\\\" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`\",\n \"known_false_positives\": \"This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely).\",\n \"tags\": {\n \"analytics_story\": [\n \"Router and Infrastructure Security\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\",\n \"Delivery\",\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1200\",\n \"T1498\",\n \"T1557\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 11\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"detection_name\": \"Detect ARP Poisoning\",\n \"security_domain\": \"network\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Hardware Additions\",\n \"Network Denial of Service\",\n \"Man-in-the-Middle\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\",\n \"Impact\",\n \"Credential Access\",\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"DarkVishnya\",\n \"no\",\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=cisco_ios\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cisco_networks\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_arp_poisoning_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect DNS requests to Phishing Sites leveraging EvilGinx2\",\n \"id\": \"24dd17b1-e2fb-4c31-878c-d4f226595bfa\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.\",\n \"how_to_implement\": \"You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app. \\\\\\n **Splunk>Phantom Playbook Integration**\\\\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\\\\n(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`).\\\\\\n\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query \\\".*?(?[^./:]+\\\\.(\\\\S{2,3}|\\\\S{2,3}.\\\\S{2,3}))$\\\" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename \\\"Web.*\\\" as * | rex field=site \\\".*?(?[^./:]+\\\\.(\\\\S{2,3}|\\\\S{2,3}.\\\\S{2,3}))$\\\" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`\",\n \"known_false_positives\": \"If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains.\",\n \"tags\": {\n \"analytics_story\": [\n \"Common Phishing Frameworks\"\n ],\n \"mitre_attack_id\": [\n \"T1566.003\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 7\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.IP\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Spearphishing via Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"Windshift\",\n \"FIN6\",\n \"OilRig\",\n \"Dark Caracal\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"(query=outlook* AND query=login* AND query=account*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Outlook\",\n \"name\": \"evilginx_phishlets_outlook\"\n },\n {\n \"definition\": \"(query=login* AND query=www*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Office 365\",\n \"name\": \"evilginx_phishlets_0365\"\n },\n {\n \"definition\": \"(query=fls-na* AND query = www* AND query=images*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Amazon\",\n \"name\": \"evilginx_phishlets_amazon\"\n },\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"(query=api* AND query = github*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as GitHub\",\n \"name\": \"evilginx_phishlets_github\"\n },\n {\n \"definition\": \"(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as an AWS console\",\n \"name\": \"evilginx_phishlets_aws\"\n },\n {\n \"definition\": \"(query=www* AND query = m* AND query=static*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as FaceBook\",\n \"name\": \"evilginx_phishlets_facebook\"\n },\n {\n \"definition\": \"(query=accounts* AND query=ssl* AND query=www*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Google\",\n \"name\": \"evilginx_phishlets_google\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect hosts connecting to dynamic domain providers\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6v5464g9f\",\n \"version\": 2,\n \"date\": \"2020-01-16\",\n \"description\": \"Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive command and control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, blacklists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.\",\n \"how_to_implement\": \"First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\\\\\\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Answer, **Field:** answer\\\\\\n1. \\\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\\\"DNS\\\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`\",\n \"known_false_positives\": \"Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"DNS Hijacking\",\n \"Suspicious DNS Traffic\",\n \"Dynamic DNS\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.\",\n \"name\": \"dynamic_dns_providers\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_hosts_connecting_to_dynamic_domain_providers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Large Outbound ICMP Packets\",\n \"id\": \"e9c102de-4d43-42a7-b1c8-8062ea297419\",\n \"version\": 2,\n \"date\": \"2018-06-01\",\n \"description\": \"This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity.\",\n \"how_to_implement\": \"In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\\\"All_Traffic\\\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`\",\n \"known_false_positives\": \"ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with command and control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the search to adjust the byte threshold or whitelist specific IP addresses, as necessary.\",\n \"tags\": {\n \"analytics_story\": [\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1095\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Non-Application Layer Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT29\",\n \"PLATINUM\",\n \"APT3\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_large_outbound_icmp_packets_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Long DNS TXT Record Response\",\n \"id\": \"05437c07-62f5-452e-afdc-04dd44815bb9\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic.\",\n \"how_to_implement\": \"To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\\\"DNS\\\")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as \\\"Source IP\\\", dest as \\\"Destination IP\\\", answer as \\\"DNS Answer\\\" anslen as \\\"Answer Length\\\" record_type as \\\"DNS Record Type\\\" firstTime as \\\"First Time\\\" lastTime as \\\"Last Time\\\" count as Count | table \\\"Source IP\\\" \\\"Destination IP\\\" \\\"DNS Answer\\\" \\\"DNS Record Type\\\" \\\"Answer Length\\\" Count \\\"First Time\\\" \\\"Last Time\\\" | `detect_long_dns_txt_record_response_filter`\",\n \"known_false_positives\": \"It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_long_dns_txt_record_response_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Outbound SMB Traffic\",\n \"id\": \"7f5fb3e1-4209-414-90db-0ec21b936378\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for outbound SMB connections made by hosts within your network to the Internet. SMB traffic is used for Windows file-sharing activity. One of the techniques often used by attackers involves retrieving the credential hash using an SMB request made to a compromised server controlled by the threat actor.\",\n \"how_to_implement\": \"In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have good understanding of how your network segments are designed, and be able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest values(All_Traffic.action) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb) by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\\\"All_Traffic\\\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_outbound_smb_traffic_filter` \",\n \"known_false_positives\": \"It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1071.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"File Transfer Protocols\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"SilverTerrier\",\n \"Machete\",\n \"Honeybee\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_outbound_smb_traffic_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Rogue DHCP Server\",\n \"id\": \"6e1ada88-7a0d-4ac1-92c6-03d354686079\",\n \"version\": 1,\n \"date\": \"2020-08-11\",\n \"description\": \"By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack).\",\n \"how_to_implement\": \"This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum \\\"5 - notification\\\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Mikael Bjerkeland, Splunk\",\n \"search\": \"`cisco_networks` facility=\\\"DHCP_SNOOPING\\\" mnemonic=\\\"DHCP_SNOOPING_UNTRUSTED_PORT\\\" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter`\",\n \"known_false_positives\": \"This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface.\",\n \"tags\": {\n \"analytics_story\": [\n \"Router and Infrastructure Security\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\",\n \"Delivery\",\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1200\",\n \"T1498\",\n \"T1557\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 11\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"detection_name\": \"Detect Rogue DHCP Server\",\n \"security_domain\": \"network\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Hardware Additions\",\n \"Network Denial of Service\",\n \"Man-in-the-Middle\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\",\n \"Impact\",\n \"Credential Access\",\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"DarkVishnya\",\n \"no\",\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=cisco_ios\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cisco_networks\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_rogue_dhcp_server_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Unauthorized Assets by MAC address\",\n \"id\": \"dcfd6b40-42f9-469d-a433-2e53f7489ff4\",\n \"version\": 1,\n \"date\": \"2017-09-13\",\n \"description\": \"By populating the organization's assets within the assets_by_str.csv, we will be able to detect unauthorized devices that are trying to connect with the organization's network by inspecting DHCP request packets, which are issued by devices when they attempt to obtain an IP address from the DHCP server. The MAC address associated with the source of the DHCP request is checked against the list of known devices, and reports on those that are not found.\",\n \"how_to_implement\": \"This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST by All_Sessions.src_ip All_Sessions.src_mac | dedup All_Sessions.src_mac| `drop_dm_object_name(\\\"Network_Sessions\\\")`|`drop_dm_object_name(\\\"All_Sessions\\\")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as src_mac | fields + src_mac] | `detect_unauthorized_assets_by_mac_address_filter`\",\n \"known_false_positives\": \"This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information.\",\n \"tags\": {\n \"analytics_story\": [\n \"Asset Tracking\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\",\n \"Delivery\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Count of assets by category\",\n \"id\": \"dcfd6b40-42f9-469d-a433-2e53f7489ff9\",\n \"version\": 1,\n \"date\": \"2017-09-13\",\n \"description\": \"This search shows you every asset category you have and the assets that belong to those categories.\",\n \"how_to_implement\": \"To successfully implement this search you must first leverage the Assets and Identity framework in Enterprise Security to populate your assets_by_str.csv file which should then be mapped to the Identity_Management data model. The Identity_Management data model will contain a list of known authorized company assets. Ensure that all inventoried systems are constantly vetted and updated.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| from datamodel Identity_Management.All_Assets | stats count values(nt_host) by category | sort -count\",\n \"tags\": {\n \"analytics_story\": [\n \"Asset Tracking\"\n ],\n \"detections\": [\n \"Detect Unauthorized Assets by MAC address\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_unauthorized_assets_by_mac_address_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Zerologon via Zeek\",\n \"id\": \"bf7a06ec-f703-11ea-adc1-0242ac120002\",\n \"version\": 1,\n \"date\": \"2020-09-15\",\n \"description\": \"This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC\",\n \"how_to_implement\": \"You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.secura.com/blog/zero-logon\",\n \"https://github.com/SecuraBV/CVE-2020-1472\",\n \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472\"\n ],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation==\\\"NetrServerReqChallenge\\\")) as challenge count(eval(operation==\\\"NetrServerAuthenticate3\\\")) as authcount count(eval(operation==\\\"NetrServerPasswordSet2\\\")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter`\",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Detect Zerologon Attack\"\n ],\n \"mitre_attack_id\": [\n \"T1190\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Network\",\n \"mitre_attack_technique\": [\n \"Exploit Public-Facing Application\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Rocke\",\n \"APT39\",\n \"BlackTech\",\n \"APT41\",\n \"Soft Cell\",\n \"Night Dragon\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"index=zeek sourcetype=\\\"zeek:rpc:json\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"zeek_rpc\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_zerologon_via_zeek_filter\"\n }\n ]\n },\n {\n \"name\": \"Detection of DNS Tunnels\",\n \"id\": \"104658f4-afdc-499f-9719-17a43f9826f4\",\n \"version\": 2,\n \"date\": \"2017-09-18\",\n \"description\": \"This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic.\",\n \"how_to_implement\": \"To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` dc(\\\"DNS.query\\\") as count from datamodel=Network_Resolution where nodename=DNS \\\"DNS.message_type\\\"=\\\"QUERY\\\" NOT (`cim_corporate_web_domain_search(\\\"DNS.query\\\")`) NOT \\\"DNS.query\\\"=\\\"*.in-addr.arpa\\\" NOT (\\\"DNS.src_category\\\"=\\\"svc_infra_dns\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_webproxy\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_email*\\\" ) by \\\"DNS.src\\\",\\\"DNS.query\\\" | rename \\\"DNS.src\\\" as src \\\"DNS.query\\\" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc(\\\"DNS.answer\\\") as count from datamodel=Network_Resolution where nodename=DNS \\\"DNS.message_type\\\"=\\\"QUERY\\\" NOT (`cim_corporate_web_domain_search(\\\"DNS.query\\\")`) NOT \\\"DNS.query\\\"=\\\"*.in-addr.arpa\\\" NOT (\\\"DNS.src_category\\\"=\\\"svc_infra_dns\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_webproxy\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_email*\\\" ) by \\\"DNS.src\\\",\\\"DNS.answer\\\" | rename \\\"DNS.src\\\" as src \\\"DNS.answer\\\" as message | eval message=if(message==\\\"unknown\\\",\\\"\\\", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`\",\n \"known_false_positives\": \"It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detection_of_dns_tunnels_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Length Outliers - MLTK\",\n \"id\": \"85fbcfe8-9718-4911-adf6-7000d077a3a9\",\n \"version\": 2,\n \"date\": \"2020-01-22\",\n \"description\": \"This search allows you to identify DNS requests that are unusually large for the record type being requested in your environment.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of DNS Query Length - MLTK\\\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\\\\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Query Length, **Field:** query_length\\\\\\n1. \\\\\\n1. **Label:** Number of events, **Field:** count\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename \\\"IsOutlier(query_length)\\\" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter` \",\n \"known_false_positives\": \"If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of DNS Query Length - MLTK\",\n \"id\": \"c914844c-0ff5-4efc-8d44-c063443129ba\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which uses it to identify outliers in the length of the DNS query.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(\\\"DNS\\\")` | eval query_length = len(query) | fit DensityFunction query_length by record_type into dns_query_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Command and Control\",\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\"\n ],\n \"detections\": [\n \"DNS Query Length Outliers - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_length_outliers___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Length With High Standard Deviation\",\n \"id\": \"1a67f15a-f4ff-4170-84e9-08cf6f75d6f5\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | `drop_dm_object_name(\\\"DNS\\\")` | eval query_length = len(query) | table query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter` \",\n \"known_false_positives\": \"It's possible there can be long domain names that are legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_length_with_high_standard_deviation_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Requests Resolved by Unauthorized DNS Servers\",\n \"id\": \"1a67f15a-f4ff-4170-84e9-08cf6f75d6f6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.\",\n \"how_to_implement\": \"To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\\\"DNS\\\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` \",\n \"known_false_positives\": \"Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\",\n \"Command and Control\",\n \"Suspicious DNS Traffic\",\n \"Host Redirection\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 3\",\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.IP\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_requests_resolved_by_unauthorized_dns_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS record changed\",\n \"id\": \"44d3a43e-dcd5-49f7-8356-5209bb369065\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.\",\n \"how_to_implement\": \"To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search \\\"Discover DNS record\\\". \\\\\\n **Splunk>Phantom Playbook Integration**\\\\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called \\\"DNS Hijack Enrichment\\\" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\\\\n(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`).\\\\\\n\",\n \"type\": \"ESCU\",\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| inputlookup discovered_dns_records.csv | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\\\"unknown\\\" DNS.answer!=\\\"\\\" by DNS.query | rename DNS.query as query | where query!=\\\"unknown\\\" | rex field=query \\\"(?\\\\w+\\\\.\\\\w+?)(?:$|/)\\\"] | makemv delim=\\\" \\\" answer | makemv delim=\\\" \\\" type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter`\",\n \"known_false_positives\": \"Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 3\",\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.IP\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Discover DNS records\",\n \"id\": \"c096f721-8842-42ce-bfc7-74bd8c72b7c3\",\n \"version\": 1,\n \"date\": \"2019-02-14\",\n \"description\": \"The search takes corporate and common cloud provider domains configured under `cim_corporate_email_domains.csv`, `cim_corporate_web_domains.csv`, and `cloud_domains.csv` finds their responses across the last 30 days from data in the `Network_Resolution ` datamodel, then stores the output under the `discovered_dns_records.csv` lookup\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting DNS logs, and populating the Network_Resolution data model. Also make sure that the cim_corporate_web_domains and cim_corporate_email_domains lookups are populated with the domains owned by your corporation\",\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| inputlookup cim_corporate_email_domains.csv | inputlookup append=T cim_corporate_web_domains.csv | inputlookup append=T cim_cloud_domains.csv | eval domain = trim(replace(domain, \\\"\\\\*\\\", \\\"\\\")) | join domain [|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as answer from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\\\"unknown\\\" DNS.answer!=\\\"\\\" by DNS.query | rename DNS.query as query | where query!=\\\"unknown\\\" | rex field=query \\\"(?\\\\w+\\\\.\\\\w+?)(?:$|/)\\\"] | makemv delim=\\\" \\\" answer | makemv delim=\\\" \\\" type | sort -count | table count,domain,type,query,answer | outputlookup createinapp=true discovered_dns_records.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\"\n ],\n \"detections\": [\n \"DNS record changed\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_record_changed_filter\"\n }\n ]\n },\n {\n \"name\": \"Excessive DNS Failures\",\n \"id\": \"104658f4-afdc-499e-9719-17243f9826f1\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search identifies DNS query failures by counting the number of DNS responses that do not indicate success, and trigger on more than 50 occurrences.\",\n \"how_to_implement\": \"To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(\\\"DNS.query\\\") as queries from datamodel=Network_Resolution where nodename=DNS \\\"DNS.reply_code\\\"!=\\\"No Error\\\" \\\"DNS.reply_code\\\"!=\\\"NoError\\\" DNS.reply_code!=\\\"unknown\\\" NOT \\\"DNS.query\\\"=\\\"*.arpa\\\" \\\"DNS.query\\\"=\\\"*.*\\\" by \\\"DNS.src\\\",\\\"DNS.query\\\"| `drop_dm_object_name(\\\"DNS\\\")`| lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain| where isnull(domain)| lookup update=true alexa_lookup_by_str domain as query OUTPUT rank| where isnull(rank)| stats sum(count) as count mode(queries) as queries by src| `get_asset(src)`| where count>50 | `excessive_dns_failures_filter`\",\n \"known_false_positives\": \"It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"excessive_dns_failures_filter\"\n }\n ]\n },\n {\n \"name\": \"Hosts receiving high volume of network traffic from email server\",\n \"id\": \"7f5fb3e1-4209-4914-90db-0ec21b556368\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \\\"email_server\\\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \\\"deviation_threshold\\\" field is a multiplying factor to control how much variation you're willing to tolerate. The \\\"minimum_data_samples\\\" field is the minimum number of connections of data samples required for the statistic to be valid.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name(\\\"All_Traffic\\\")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \\\"@d\\\"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), \\\"@d\\\"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), \\\"@d\\\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`\",\n \"known_false_positives\": \"The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.\",\n \"tags\": {\n \"analytics_story\": [\n \"Collection and Staging\"\n ],\n \"mitre_attack_id\": [\n \"T1114.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Email Collection\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"APT1\",\n \"FIN4\",\n \"APT28\",\n \"Dragonfly 2.0\",\n \"Ke3chang\",\n \"Leafminer\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"hosts_receiving_high_volume_of_network_traffic_from_email_server_filter\"\n }\n ]\n },\n {\n \"name\": \"Large Volume of DNS ANY Queries\",\n \"id\": \"8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb\",\n \"version\": 1,\n \"date\": \"2017-09-20\",\n \"description\": \"The search is used to identify attempts to use your DNS Infrastructure for DDoS purposes via a DNS amplification attack leveraging ANY queries.\",\n \"how_to_implement\": \"To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \\\"DNS.message_type\\\"=\\\"QUERY\\\" \\\"DNS.record_type\\\"=\\\"ANY\\\" by \\\"DNS.dest\\\" | `drop_dm_object_name(\\\"DNS\\\")` | where count>200 | `large_volume_of_dns_any_queries_filter`\",\n \"known_false_positives\": \"Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Amplification Attacks\"\n ],\n \"mitre_attack_id\": [\n \"T1498.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 11\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"DNS Servers\",\n \"mitre_attack_technique\": [\n \"Reflection Amplification\"\n ],\n \"mitre_attack_tactics\": [\n \"Impact\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"large_volume_of_dns_any_queries_filter\"\n }\n ]\n },\n {\n \"name\": \"Monitor DNS For Brand Abuse\",\n \"id\": \"24dd17b1-e2fb-4c31-878c-d4f746595bfa\",\n \"version\": 1,\n \"date\": \"2017-09-23\",\n \"description\": \"This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse.\",\n \"how_to_implement\": \"You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search \\\"ESCU - DNSTwist Domain Names\\\", which creates the permutations of the domain that will be checked for.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\\\"DNS\\\")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\",\n \"Actions on Objectives\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"DNSTwist Domain Names\",\n \"id\": \"19f7d2ec-6028-4d01-bcdb-bda9a034c17f\",\n \"version\": 2,\n \"date\": \"2018-10-08\",\n \"description\": \"This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches.\",\n \"how_to_implement\": \"To successfully implement this search you need to update the file called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv` and `cim_corporate_web_domains.csv` from **Splunk\\\\_SA\\\\_CIM**.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse=\\\"true\\\" | table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"detections\": [\n \"Monitor Email For Brand Abuse\",\n \"Monitor DNS For Brand Abuse\",\n \"Monitor Web Traffic For Brand Abuse\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true\",\n \"description\": \"This macro limits the output to only domains that are in the brand monitoring lookup file\",\n \"name\": \"brand_abuse_dns\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"monitor_dns_for_brand_abuse_filter\"\n }\n ]\n },\n {\n \"name\": \"Prohibited Network Traffic Allowed\",\n \"id\": \"ce5a0962-849f-4720-a678-753fe6674479\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table \\\"lookup_interesting_ports\\\", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `prohibited_network_traffic_allowed_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Ransomware\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1048\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Alternative Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"prohibited_network_traffic_allowed_filter\"\n }\n ]\n },\n {\n \"name\": \"Protocol or Port Mismatch\",\n \"id\": \"54dc1265-2f74-4b6d-b30d-49eb506a31b3\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected.\",\n \"how_to_implement\": \"Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `protocol_or_port_mismatch_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"APT33\",\n \"Thrip\",\n \"FIN8\",\n \"OilRig\",\n \"Lazarus Group\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"protocol_or_port_mismatch_filter\"\n }\n ]\n },\n {\n \"name\": \"Protocols passing authentication in cleartext\",\n \"id\": \"6923cd64-17a0-453c-b945-81ac2d8c6db9\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search looks for cleartext protocols at risk of leaking credentials. Currently, this consists of legacy protocols such as telnet, POP3, IMAP, and non-anonymous FTP sessions. While some of these protocols can be used over SSL, they typically run on different assigned ports in those cases.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.protocol=\\\"tcp\\\" AND (All_Traffic.dest_port=\\\"23\\\" OR All_Traffic.dest_port=\\\"143\\\" OR All_Traffic.dest_port=\\\"110\\\" OR (All_Traffic.dest_port=\\\"21\\\" AND All_Traffic.user != \\\"anonymous\\\")) groupby All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `protocols_passing_authentication_in_cleartext_filter`\",\n \"known_false_positives\": \"Some networks may use kerberized FTP or telnet servers, however, this is rare.\",\n \"tags\": {\n \"analytics_story\": [\n \"Use of Cleartext Protocols\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 14\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"PR.AC\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"protocols_passing_authentication_in_cleartext_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Desktop Network Bruteforce\",\n \"id\": \"a98727cc-286b-4ff2-b898-41df64695923\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation of the average traffic.\",\n \"how_to_implement\": \"You must ensure that your network traffic data is populating the Network_Traffic data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`\",\n \"known_false_positives\": \"RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\",\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 12\",\n \"CIS 9\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_desktop_network_bruteforce_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Desktop Network Traffic\",\n \"id\": \"272b8407-842d-4b3d-bead-a704584003d3\",\n \"version\": 3,\n \"date\": \"2020-07-07\",\n \"description\": \"This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search allows for whitelisting both source and destination hosts to remove them from the output of the search so you can focus on the uncommon uses of remote desktop on your network.\",\n \"how_to_implement\": \"To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search \\\"Identify Systems Creating Remote Desktop Traffic\\\" to identify systems that originate the traffic and the search \\\"Identify Systems Receiving Remote Desktop Traffic\\\" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the \\\"common_rdp_source\\\" or \\\"common_rdp_destination\\\" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\\\"All_Traffic\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter` \",\n \"known_false_positives\": \"Remote Desktop may be used legitimately by users on the network.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Hidden Cobra Malware\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 9\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_desktop_network_traffic_filter\"\n }\n ]\n },\n {\n \"name\": \"SMB Traffic Spike\",\n \"id\": \"7f5fb3e1-4209-4914-90db-0ec21b936378\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for spikes in the number of Server Message Block (SMB) traffic connections.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\\\"All_Traffic\\\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \\\"-70m@m\\\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter` \",\n \"known_false_positives\": \"A file server may experience high-demand loads that could cause this analytic to trigger.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1021.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT32\",\n \"Orangeworm\",\n \"FIN8\",\n \"APT3\",\n \"Lazarus Group\",\n \"Threat Group-1314\",\n \"Turla\",\n \"Deep Panda\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"smb_traffic_spike_filter\"\n }\n ]\n },\n {\n \"name\": \"SMB Traffic Spike - MLTK\",\n \"id\": \"d25773ba-9ad8-48d1-858e-07ad0bbeb828\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search uses the Machine Learning Toolkit (MLTK) to identify spikes in the number of Server Message Block (SMB) connections.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of SMB Traffic - MLTK\\\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\\\\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \\\\\\n1. **Label:** Number of events, **Field:** count\\\\\\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \\\"IsOutlier(count)\\\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter` \",\n \"known_false_positives\": \"If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1021.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT32\",\n \"Orangeworm\",\n \"FIN8\",\n \"APT3\",\n \"Lazarus Group\",\n \"Threat Group-1314\",\n \"Turla\",\n \"Deep Panda\",\n \"Ke3chang\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of SMB Traffic - MLTK\",\n \"id\": \"df98763b-0b08-4281-8ef9-08db7ac572a9\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.\",\n \"how_to_implement\": \"You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \\\"src\\\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(\\\"All_Traffic\\\")` | fit DensityFunction count by \\\"HourOfDay,DayOfWeek\\\" into smb_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Ransomware\"\n ],\n \"detections\": [\n \"Processes launching netsh\",\n \"SMB Traffic Spike - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"smb_traffic_spike___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"TOR Traffic\",\n \"id\": \"ea688274-9c06-4473-b951-e4cb7a5d7a45\",\n \"version\": 2,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for network traffic identified as The Onion Router (TOR), a benign anonymity network which can be abused for a variety of nefarious purposes.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `tor_traffic_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Ransomware\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Web Protocols\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"TA505\",\n \"Rocke\",\n \"APT39\",\n \"Tropic Trooper\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Inception\",\n \"APT41\",\n \"SilverTerrier\",\n \"Machete\",\n \"APT28\",\n \"WIRTE\",\n \"APT33\",\n \"FIN4\",\n \"Night Dragon\",\n \"APT18\",\n \"APT38\",\n \"Cobalt Group\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Rancor\",\n \"Orangeworm\",\n \"APT37\",\n \"Ke3chang\",\n \"Dark Caracal\",\n \"Turla\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"OilRig\",\n \"Magic Hound\",\n \"Gamaredon Group\",\n \"Stealth Falcon\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"tor_traffic_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect attackers scanning for vulnerable JBoss servers\",\n \"id\": \"104658f4-afdc-499e-9719-17243f982681\",\n \"version\": 1,\n \"date\": \"2017-09-23\",\n \"description\": \"This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to identify vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity.\",\n \"how_to_implement\": \"You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\\\"GET\\\" OR Web.http_method=\\\"HEAD\\\") AND (Web.url=\\\"*/web-console/ServerInfo.jsp*\\\" OR Web.url=\\\"*web-console*\\\" OR Web.url=\\\"*jmx-console*\\\" OR Web.url = \\\"*invoker*\\\") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name(\\\"Web\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`\",\n \"known_false_positives\": \"It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.\",\n \"tags\": {\n \"analytics_story\": [\n \"JBoss Vulnerability\",\n \"SamSam Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1082\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Web Server\",\n \"mitre_attack_technique\": [\n \"System Information Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Sandworm Team\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"Inception\",\n \"Kimsuky\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"Honeybee\",\n \"APT19\",\n \"APT37\",\n \"APT32\",\n \"Magic Hound\",\n \"OilRig\",\n \"APT3\",\n \"Sowbug\",\n \"Gamaredon Group\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"admin@338\",\n \"Turla\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_attackers_scanning_for_vulnerable_jboss_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect F5 TMUI RCE CVE-2020-5902\",\n \"id\": \"810e4dbc-d46e-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-08-02\",\n \"description\": \"This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices\",\n \"how_to_implement\": \"To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/\",\n \"https://support.f5.com/csp/article/K52145254\",\n \"https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/\"\n ],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"`f5_bigip_rogue` | regex _raw=\\\"(hsqldb;|.*\\\\\\\\.\\\\\\\\.;.*)\\\" | search `detect_f5_tmui_rce_cve_2020_5902_filter`\",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"F5 TMUI RCE CVE-2020-5902\"\n ],\n \"mitre_attack_id\": [\n \"T1190\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Network\",\n \"mitre_attack_technique\": [\n \"Exploit Public-Facing Application\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Rocke\",\n \"APT39\",\n \"BlackTech\",\n \"APT41\",\n \"Soft Cell\",\n \"Night Dragon\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"index=netops sourcetype=\\\"f5:bigip:rogue\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"f5_bigip_rogue\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_f5_tmui_rce_cve_2020_5902_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect malicious requests to exploit JBoss servers\",\n \"id\": \"c8bff7a4-11ea-4416-a27d-c5bca472913d\",\n \"version\": 1,\n \"date\": \"2017-09-23\",\n \"description\": \"This search is used to detect malicious HTTP requests crafted to exploit jmx-console in JBoss servers. The malicious requests have a long URL length, as the payload is embedded in the URL.\",\n \"how_to_implement\": \"You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\\\"GET\\\" OR Web.http_method=\\\"HEAD\\\") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url=\\\"*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*\\\" AND Web.url_length > 200 | `drop_dm_object_name(\\\"Web\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`\",\n \"known_false_positives\": \"No known false positives for this detection.\",\n \"tags\": {\n \"analytics_story\": [\n \"JBoss Vulnerability\",\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 12\",\n \"CIS 4\",\n \"CIS 18\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"PR.PT\",\n \"PR.IP\",\n \"DE.AE\",\n \"PR.MA\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Web Server\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_malicious_requests_to_exploit_jboss_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect web traffic to dynamic domain providers\",\n \"id\": \"134da869-e264-4a8f-8d7e-fcd01c18f301\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for web connections to dynamic DNS providers.\",\n \"how_to_implement\": \"This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\\\\\\nThis search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name(\\\"Web\\\")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`\",\n \"known_false_positives\": \"It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Dynamic DNS\"\n ],\n \"mitre_attack_id\": [\n \"T1071.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"DE.DP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Web Protocols\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"TA505\",\n \"Rocke\",\n \"APT39\",\n \"Tropic Trooper\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Inception\",\n \"APT41\",\n \"SilverTerrier\",\n \"Machete\",\n \"APT28\",\n \"WIRTE\",\n \"APT33\",\n \"FIN4\",\n \"Night Dragon\",\n \"APT18\",\n \"APT38\",\n \"Cobalt Group\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Rancor\",\n \"Orangeworm\",\n \"APT37\",\n \"Ke3chang\",\n \"Dark Caracal\",\n \"Turla\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"OilRig\",\n \"Magic Hound\",\n \"Gamaredon Group\",\n \"Stealth Falcon\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This is a description\",\n \"name\": \"dynamic_dns_web_traffic\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_web_traffic_to_dynamic_domain_providers_filter\"\n }\n ]\n },\n {\n \"name\": \"Monitor Web Traffic For Brand Abuse\",\n \"id\": \"134da869-e264-4a8f-8d7e-fcd0ec88f301\",\n \"version\": 1,\n \"date\": \"2017-09-23\",\n \"description\": \"This search looks for Web requests to faux domains similar to the one that you want to have monitored for abuse.\",\n \"how_to_implement\": \"You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search \\\"ESCU - DNSTwist Domain Names\\\", which creates the permutations of the domain that will be checked for.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name(\\\"Web\\\")` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"DNSTwist Domain Names\",\n \"id\": \"19f7d2ec-6028-4d01-bcdb-bda9a034c17f\",\n \"version\": 2,\n \"date\": \"2018-10-08\",\n \"description\": \"This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches.\",\n \"how_to_implement\": \"To successfully implement this search you need to update the file called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv` and `cim_corporate_web_domains.csv` from **Splunk\\\\_SA\\\\_CIM**.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse=\\\"true\\\" | table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"detections\": [\n \"Monitor Email For Brand Abuse\",\n \"Monitor DNS For Brand Abuse\",\n \"Monitor Web Traffic For Brand Abuse\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true\",\n \"description\": \"This macro limits the output to only domains that are in the brand monitoring lookup file\",\n \"name\": \"brand_abuse_web\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"monitor_web_traffic_for_brand_abuse_filter\"\n }\n ]\n },\n {\n \"name\": \"SQL Injection with Long URLs\",\n \"id\": \"e0aad4cf-0790-423b-8328-7564d0d938f9\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for long URLs that have several SQL commands visible within them.\",\n \"how_to_implement\": \"To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(\\\"Web\\\")` | eval num_sql_cmds=mvcount(split(url, \\\"alter%20table\\\")) + mvcount(split(url, \\\"between\\\")) + mvcount(split(url, \\\"create%20table\\\")) + mvcount(split(url, \\\"create%20database\\\")) + mvcount(split(url, \\\"create%20index\\\")) + mvcount(split(url, \\\"create%20view\\\")) + mvcount(split(url, \\\"delete\\\")) + mvcount(split(url, \\\"drop%20database\\\")) + mvcount(split(url, \\\"drop%20index\\\")) + mvcount(split(url, \\\"drop%20table\\\")) + mvcount(split(url, \\\"exists\\\")) + mvcount(split(url, \\\"exec\\\")) + mvcount(split(url, \\\"group%20by\\\")) + mvcount(split(url, \\\"having\\\")) + mvcount(split(url, \\\"insert%20into\\\")) + mvcount(split(url, \\\"inner%20join\\\")) + mvcount(split(url, \\\"left%20join\\\")) + mvcount(split(url, \\\"right%20join\\\")) + mvcount(split(url, \\\"full%20join\\\")) + mvcount(split(url, \\\"select\\\")) + mvcount(split(url, \\\"distinct\\\")) + mvcount(split(url, \\\"select%20top\\\")) + mvcount(split(url, \\\"union\\\")) + mvcount(split(url, \\\"xp_cmdshell\\\")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`\",\n \"known_false_positives\": \"It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"SQL Injection\"\n ],\n \"mitre_attack_id\": [\n \"T1190\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 4\",\n \"CIS 13\",\n \"CIS 18\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"ID.RA\",\n \"PR.PT\",\n \"PR.IP\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Database Server\",\n \"mitre_attack_technique\": [\n \"Exploit Public-Facing Application\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Rocke\",\n \"APT39\",\n \"BlackTech\",\n \"APT41\",\n \"Soft Cell\",\n \"Night Dragon\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"sql_injection_with_long_urls_filter\"\n }\n ]\n },\n {\n \"name\": \"Web Fraud - Account Harvesting\",\n \"id\": \"31337aaa-941d-4ada-81ac-q2a17be5bf0d\",\n \"version\": 1,\n \"date\": \"2018-10-08\",\n \"description\": \"This search is used to identify the creation of multiple user accounts using the same email domain name.\",\n \"how_to_implement\": \"We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://splunkbase.splunk.com/app/2734/\",\n \"https://splunkbase.splunk.com/app/1809/\"\n ],\n \"author\": \"Jim Apger, Splunk\",\n \"search\": \"`stream_http` http_content_type=text* uri=\\\"/magento2/customer/account/loginPost/\\\" | rex field=cookie \\\"form_key=(?\\\\w+)\\\" | rex field=form_data \\\"login\\\\[username\\\\]=(?[^&|^$]+)\\\" | search Username=* | rex field=Username \\\"@(?.*)\\\" | stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain | where UniqueUsernames> 25 | `web_fraud___account_harvesting_filter`\",\n \"known_false_positives\": \"As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated.\",\n \"tags\": {\n \"analytics_story\": [\n \"Web Fraud Detection\"\n ],\n \"mitre_attack_id\": [\n \"T1136\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"DE.DP\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Account\",\n \"mitre_attack_technique\": [\n \"Create Account\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"web_fraud___account_harvesting_filter\"\n }\n ]\n },\n {\n \"name\": \"Web Fraud - Anomalous User Clickspeed\",\n \"id\": \"31337bbb-bc22-4752-b599-ef192df2dc7a\",\n \"version\": 1,\n \"date\": \"2018-10-08\",\n \"description\": \"This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.\",\n \"how_to_implement\": \"Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://en.wikipedia.org/wiki/Session_ID\",\n \"https://en.wikipedia.org/wiki/Session_(computer_science)\",\n \"https://en.wikipedia.org/wiki/HTTP_cookie\",\n \"https://splunkbase.splunk.com/app/1809/\"\n ],\n \"author\": \"Jim Apger, Splunk\",\n \"search\": \"`stream_http` http_content_type=text* | rex field=cookie \\\"form_key=(?\\\\w+)\\\" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter`\",\n \"known_false_positives\": \"As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Web Fraud Detection\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"account\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"web_fraud___anomalous_user_clickspeed_filter\"\n }\n ]\n },\n {\n \"name\": \"Web Fraud - Password Sharing Across Accounts\",\n \"id\": \"31337a1a-53b9-4e05-96e9-55c934cb71d3\",\n \"version\": 1,\n \"date\": \"2018-10-08\",\n \"description\": \"This search is used to identify user accounts that share a common password.\",\n \"how_to_implement\": \"We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://en.wikipedia.org/wiki/Session_ID\",\n \"https://en.wikipedia.org/wiki/Session_(computer_science)\",\n \"https://en.wikipedia.org/wiki/HTTP_cookie\",\n \"https://splunkbase.splunk.com/app/1809/\"\n ],\n \"author\": \"Jim Apger, Splunk\",\n \"search\": \"`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data \\\"login\\\\[username\\\\]=(?[^&|^$]+)\\\" | rex field=form_data \\\"login\\\\[password\\\\]=(?[^&|^$]+)\\\" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter`\",\n \"known_false_positives\": \"As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Web Fraud Detection\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"account\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"web_fraud___password_sharing_across_accounts_filter\"\n }\n ]\n }\n ],\n \"count\": 248\n}"}],"_postman_id":"ea1a9786-54a6-4146-9a07-7d724ce9c371"}],"id":"039a36f4-97c8-43fc-a49a-01b601d4d8ae","_postman_id":"039a36f4-97c8-43fc-a49a-01b601d4d8ae","description":""},{"name":"stories","item":[{"name":"/stories","id":"1bb3ff54-6ad9-40cd-b9ce-869308a12fd6","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"noauth","isInherited":false},"method":"GET","header":[],"url":"https://content.splunkresearch.com/stories","description":"

list all analytics stories

\n","urlObject":{"path":["stories"],"host":["https://content.splunkresearch.com"],"query":[],"variable":[]}},"response":[{"id":"e2430c3a-9c60-4f89-ba8e-f8bd4a5168b5","name":"/stories","originalRequest":{"method":"GET","header":[],"url":"https://content.splunkresearch.com/stories"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Thu, 05 Nov 2020 08:15:32 GMT"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"1209059"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"0bbcabf6-efd3-4bc2-b202-c66e6357d474"},{"key":"Access-Control-Allow-Origin","value":"*"},{"key":"Access-Control-Allow-Headers","value":"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"},{"key":"x-amz-apigw-id","value":"VhknrFUtvHcFs0A="},{"key":"X-Amzn-Trace-Id","value":"Root=1-5fa3b497-645439d227429f7a135d13ae;Sampled=0"}],"cookie":[],"responseTime":null,"body":"{\n \"stories\": [\n {\n \"name\": \"Account Monitoring and Controls\",\n \"id\": \"8892a655-6205-55f7-abba-06460e38c8ae\",\n \"version\": 1,\n \"date\": \"2017-09-06\",\n \"description\": \"A common attack technique is to leverage user accounts to gain unauthorized access to the target's network. This Analytic Story minimizes opportunities for attack by helping you actively manage creation/use/dormancy/deletion--the lifecycle of system and application accounts.\",\n \"narrative\": \"Monitoring user accounts within your enterprise is a critical analytic function that helps ensure that credential and access policies/procedures are properly implemented and are being enforced. Proactive ad-hoc hunting, as well as routine monitoring, can ensure user or system accounts are not being abused by unauthorized individuals or processes. In the event of a network event or breach, user-authentication logs are a key resource in determining if or how an account might have been compromised or co-opted, leading to suspicious or malicious activity.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"tags\": {\n \"analytics_story\": \"Account Monitoring and Controls\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Best Practices\"\n ],\n \"mitre_attack_id\": [\n \"T1078.003\",\n \"T1136.001\",\n \"T1078.002\"\n ],\n \"mitre_attack_technique\": [\n \"Local Accounts\",\n \"Domain Accounts\",\n \"Local Account\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Tropic Trooper\",\n \"APT32\",\n \"Dragonfly 2.0\",\n \"APT3\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT41\",\n \"Threat Group-1314\",\n \"Leafminer\",\n \"TA505\",\n \"FIN10\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Identify New User Accounts\",\n \"id\": \"475b9e27-17e4-46e2-b7e2-648221be3b89\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.\",\n \"how_to_implement\": \"To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, \\\"Accounts created in last week\\\") | search empStatus=\\\"Accounts created in last week\\\"| `security_content_ctime(endDate)` | `security_content_ctime(startDate)`| table identity empStatus endDate startDate | `identify_new_user_accounts_filter`\",\n \"known_false_positives\": \"If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately.\",\n \"tags\": {\n \"analytics_story\": [\n \"Account Monitoring and Controls\"\n ],\n \"mitre_attack_id\": [\n \"T1078.002\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Domain Server\",\n \"mitre_attack_technique\": [\n \"Domain Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"APT3\",\n \"Threat Group-1314\"\n ]\n },\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"identify_new_user_accounts_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Excessive Account Lockouts From Endpoint\",\n \"id\": \"c026e3dd-7e18-4abb-8f41-929e836efe74\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search identifies endpoints that have caused a relatively high number of account lockouts in a short period.\",\n \"how_to_implement\": \"You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. \\\\\\n **Splunk>Phantom Playbook Integration**\\\\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called \\\"Excessive Account Lockouts Enrichment and Response\\\" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\\\\n(Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`).\\\\\\n\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result=\\\"lockout\\\" by All_Changes.dest All_Changes.result |`drop_dm_object_name(\\\"All_Changes\\\")` |`drop_dm_object_name(\\\"Account_Management\\\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`\",\n \"known_false_positives\": \"It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.\",\n \"tags\": {\n \"analytics_story\": [\n \"Account Monitoring and Controls\"\n ],\n \"mitre_attack_id\": [\n \"T1078.003\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Local Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Tropic Trooper\",\n \"FIN10\",\n \"Stolen Pencil\",\n \"APT32\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_excessive_account_lockouts_from_endpoint_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Excessive User Account Lockouts\",\n \"id\": \"95a7f9a5-6096-437e-a19e-86f42ac609bd\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search detects user accounts that have been locked out a relatively high number of times in a short period.\",\n \"how_to_implement\": \"ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result=\\\"lockout\\\" by All_Changes.user All_Changes.result |`drop_dm_object_name(\\\"All_Changes\\\")` |`drop_dm_object_name(\\\"Account_Management\\\")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`\",\n \"known_false_positives\": \"It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.\",\n \"tags\": {\n \"analytics_story\": [\n \"Account Monitoring and Controls\"\n ],\n \"mitre_attack_id\": [\n \"T1078.003\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Local Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Tropic Trooper\",\n \"FIN10\",\n \"Stolen Pencil\",\n \"APT32\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_excessive_user_account_lockouts_filter\"\n }\n ]\n },\n {\n \"name\": \"Short Lived Windows Accounts\",\n \"id\": \"b25f6f62-0782-43c1-b403-083231ffd97d\",\n \"version\": 2,\n \"date\": \"2020-07-06\",\n \"description\": \"This search detects accounts that were created and deleted in a short time period.\",\n \"how_to_implement\": \"This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\\\"All_Changes\\\")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter`\",\n \"known_false_positives\": \"It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised.\",\n \"tags\": {\n \"analytics_story\": [\n \"Account Monitoring and Controls\"\n ],\n \"mitre_attack_id\": [\n \"T1136.001\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Local Account\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"APT41\",\n \"Dragonfly 2.0\",\n \"Leafminer\",\n \"APT3\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"short_lived_windows_accounts_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Apache Struts Vulnerability\",\n \"id\": \"2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e\",\n \"version\": 1,\n \"date\": \"2018-12-06\",\n \"description\": \"Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.\",\n \"narrative\": \"In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's 5th largest data breach. The target, credit giant Equifax, told investigators that it had become aware of the vulnerability two months before the attack. \\\\\\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\\\\\\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\\\\\\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\\\\\\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\\\\\\nhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\\\\\\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\\\\\\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \\\"who,\\\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\\\\\\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\\\\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\\\\\\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\\\\\\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\\\\\\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\\\Windows\\\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\\\\\\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf\"\n ],\n \"tags\": {\n \"analytics_story\": \"Apache Struts Vulnerability\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Vulnerability\"\n ],\n \"mitre_attack_id\": [\n \"T1082\"\n ],\n \"mitre_attack_technique\": [\n \"System Information Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Lazarus Group\",\n \"Gamaredon Group\",\n \"Honeybee\",\n \"Frankenstein\",\n \"APT18\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"Turla\",\n \"Sandworm Team\",\n \"Sowbug\",\n \"APT19\",\n \"APT37\",\n \"Blue Mockingbird\",\n \"Stealth Falcon\",\n \"admin@338\",\n \"Magic Hound\",\n \"Inception\",\n \"Kimsuky\",\n \"APT3\",\n \"Darkhotel\",\n \"OilRig\",\n \"Rocke\",\n \"Ke3chang\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Suspicious Java Classes\",\n \"id\": \"if1fea6da-3c86-4c1d-b255-fc3b2781a491\",\n \"version\": 1,\n \"date\": \"2018-12-06\",\n \"description\": \"This search looks for suspicious Java classes that are often used to exploit remote command execution in common Java frameworks, such as Apache Struts.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"`stream_http` http_method=POST http_content_length>1 | regex form_data=\\\"(?i)java\\\\.lang\\\\.(?:runtime|processbuilder)\\\" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`\",\n \"known_false_positives\": \"There are no known false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"Apache Struts Vulnerability\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 7\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_java_classes_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Content-Type Length\",\n \"id\": \"57a0a2bf-353f-40c1-84dc-29293f3c35b7\",\n \"version\": 1,\n \"date\": \"2017-10-13\",\n \"description\": \"This search looks for unusually long strings in the Content-Type http header that the client sends the server.\",\n \"how_to_implement\": \"This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`stream_http` | eval cs_content_type_length = len(cs_content_type) | where cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length cs_content_type url | `unusually_long_content_type_length_filter`\",\n \"known_false_positives\": \"Very few legitimate Content-Type fields will have a length greater than 100 characters.\",\n \"tags\": {\n \"analytics_story\": [\n \"Apache Struts Vulnerability\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 4\",\n \"CIS 18\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"RS.MI\",\n \"PR.PT\",\n \"PR.IP\",\n \"DE.AE\",\n \"PR.MA\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Web Server\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_content_type_length_filter\"\n }\n ]\n },\n {\n \"name\": \"Web Servers Executing Suspicious Processes\",\n \"id\": \"ec3b7601-689a-4463-94e0-c9f45638efb9\",\n \"version\": 1,\n \"date\": \"2019-04-01\",\n \"description\": \"This search looks for suspicious processes on all systems labeled as web servers.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. In addition, web servers will need to be identified in the Assets and Identity Framework of Enterprise Security.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category=\\\"web_server\\\" AND (Processes.process=\\\"*whoami*\\\" OR Processes.process=\\\"*ping*\\\" OR Processes.process=\\\"*iptables*\\\" OR Processes.process=\\\"*wget*\\\" OR Processes.process=\\\"*service*\\\" OR Processes.process=\\\"*curl*\\\") by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`\",\n \"known_false_positives\": \"Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.\",\n \"tags\": {\n \"analytics_story\": [\n \"Apache Struts Vulnerability\"\n ],\n \"mitre_attack_id\": [\n \"T1082\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Web Server\",\n \"mitre_attack_technique\": [\n \"System Information Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Sandworm Team\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"Inception\",\n \"Kimsuky\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"Honeybee\",\n \"APT19\",\n \"APT37\",\n \"APT32\",\n \"Magic Hound\",\n \"OilRig\",\n \"APT3\",\n \"Sowbug\",\n \"Gamaredon Group\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"admin@338\",\n \"Turla\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"web_servers_executing_suspicious_processes_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Asset Tracking\",\n \"id\": \"91c676cf-0b23-438d-abee-f6335e1fce77\",\n \"version\": 1,\n \"date\": \"2017-09-13\",\n \"description\": \"Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.\",\n \"narrative\": \"This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Asset Tracking\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Best Practices\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Detect Unauthorized Assets by MAC address\",\n \"id\": \"dcfd6b40-42f9-469d-a433-2e53f7489ff4\",\n \"version\": 1,\n \"date\": \"2017-09-13\",\n \"description\": \"By populating the organization's assets within the assets_by_str.csv, we will be able to detect unauthorized devices that are trying to connect with the organization's network by inspecting DHCP request packets, which are issued by devices when they attempt to obtain an IP address from the DHCP server. The MAC address associated with the source of the DHCP request is checked against the list of known devices, and reports on those that are not found.\",\n \"how_to_implement\": \"This search uses the Network_Sessions data model shipped with Enterprise Security. It leverages the Assets and Identity framework to populate the assets_by_str.csv file located in SA-IdentityManagement, which will contain a list of known authorized organizational assets including their MAC addresses. Ensure that all inventoried systems have their MAC address populated.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Sessions where nodename=All_Sessions.DHCP All_Sessions.signature=DHCPREQUEST by All_Sessions.src_ip All_Sessions.src_mac | dedup All_Sessions.src_mac| `drop_dm_object_name(\\\"Network_Sessions\\\")`|`drop_dm_object_name(\\\"All_Sessions\\\")` | search NOT [| inputlookup asset_lookup_by_str |rename mac as src_mac | fields + src_mac] | `detect_unauthorized_assets_by_mac_address_filter`\",\n \"known_false_positives\": \"This search might be prone to high false positives. Please consider this when conducting analysis or investigations. Authorized devices may be detected as unauthorized. If this is the case, verify the MAC address of the system responsible for the false positive and add it to the Assets and Identity framework with the proper information.\",\n \"tags\": {\n \"analytics_story\": [\n \"Asset Tracking\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\",\n \"Delivery\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Count of assets by category\",\n \"id\": \"dcfd6b40-42f9-469d-a433-2e53f7489ff9\",\n \"version\": 1,\n \"date\": \"2017-09-13\",\n \"description\": \"This search shows you every asset category you have and the assets that belong to those categories.\",\n \"how_to_implement\": \"To successfully implement this search you must first leverage the Assets and Identity framework in Enterprise Security to populate your assets_by_str.csv file which should then be mapped to the Identity_Management data model. The Identity_Management data model will contain a list of known authorized company assets. Ensure that all inventoried systems are constantly vetted and updated.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| from datamodel Identity_Management.All_Assets | stats count values(nt_host) by category | sort -count\",\n \"tags\": {\n \"analytics_story\": [\n \"Asset Tracking\"\n ],\n \"detections\": [\n \"Detect Unauthorized Assets by MAC address\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_unauthorized_assets_by_mac_address_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"AWS Cross Account Activity\",\n \"id\": \"2f2f610a-d64d-48c2-b57c-967a2b49ab5a\",\n \"version\": 1,\n \"date\": \"2018-06-04\",\n \"description\": \"Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.\",\n \"narrative\": \"Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\\\\\\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\\\\\\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/\"\n ],\n \"tags\": {\n \"analytics_story\": \"AWS Cross Account Activity\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1550\",\n \"T1078.004\",\n \"T1078\"\n ],\n \"mitre_attack_technique\": [\n \"Valid Accounts\",\n \"Cloud Accounts\",\n \"Use Alternate Authentication Material\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Lateral Movement\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"APT41\",\n \"Threat Group-3390\",\n \"Night Dragon\",\n \"FIN10\",\n \"APT18\",\n \"TEMP.Veles\",\n \"APT28\",\n \"FIN8\",\n \"Sandworm Team\",\n \"Silence\",\n \"menuPass\",\n \"Suckfly\",\n \"APT39\",\n \"Carbanak\",\n \"FIN5\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"FIN4\",\n \"no\",\n \"PittyTiger\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"AWS Cross Account Activity From Previously Unseen Account\",\n \"id\": \"64fbbddf-fabf-4edf-80b3-0cc36ef37727\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for AssumeRole events where an IAM role in a different account is requested for the first time.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the `Previously Seen AWS Cross Account Activity` support search only once to create the baseline of previously seen cross account activity. Thanks to Pablo Vega at Recurly for suggesting improvements to the search.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=AssumeRole | spath output=requestingAccountId path=userIdentity.accountId | spath output=requestedAccountId path=resources{}.accountId | search requestingAccountId=* | where requestingAccountId != requestedAccountId | inputlookup append=t previously_seen_aws_cross_account_activity | multireport [| stats min(eval(coalesce(firstTime, _time))) as firstTime max(eval(coalesce(lastTime, _time))) as lastTime by requestingAccountId, requestedAccountId | outputlookup previously_seen_aws_cross_account_activity | where fact=fiction] [| eventstats min(eval(coalesce(firstTime, _time))) as firstTime, max(eval(coalesce(lastTime, _time))) as lastTime by requestingAccountId, requestedAccountId | where firstTime >= relative_time(now(), \\\"-70m@m\\\") AND isnotnull(_time) | spath output=accessKeyId path=responseElements.credentials.accessKeyId | spath output=requestingARN path=resources{}.ARN | stats values(awsRegion) as awsRegion values(firstTime) as firstTime values(lastTime) as lastTime values(sharedEventID) as sharedEventID, values(requestingARN) as src_user, values(responseElements.assumedRoleUser.arn) as dest_user by _time, requestingAccountId, requestedAccountId, accessKeyId] | table _time, firstTime, lastTime, src_user, requestingAccountId, dest_user, requestedAccountId, awsRegion, accessKeyId, sharedEventID | `aws_cross_account_activity_from_previously_unseen_account_filter`\",\n \"known_false_positives\": \"Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.AC\",\n \"PR.DS\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Cross Account Activity\",\n \"id\": \"1cc22b09-c867-416e-a511-cb36ac44aee2\",\n \"version\": 1,\n \"date\": \"2018-06-04\",\n \"description\": \"This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Validate the user name entries in `previously_seen_aws_cross_account_activity.csv`, a lookup file created by this support search.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=AssumeRole | spath output=requestingAccountId path=userIdentity.accountId | spath output=requestedAccountId path=resources{}.accountId | search requestingAccountId=* | where requestingAccountId!=requestedAccountId | stats earliest(_time) as firstTime latest(_time) as lastTime by requestingAccountId, requestedAccountId | outputlookup previously_seen_aws_cross_account_activity | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"detections\": [\n \"AWS Cross Account Activity From Previously Unseen Account\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_cross_account_activity_from_previously_unseen_account_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-27\",\n \"description\": \"This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges.\",\n \"how_to_implement\": \"You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"88fc31dd-f331-448c-9856-d3d51dd5d3a1\",\n \"known_false_positives\": \"Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.\",\n \"name\": \"aws detect attach to role policy\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"asset_type\": \"AWS Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_detect_attach_to_role_policy_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-27\",\n \"description\": \"This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor.\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"12d6d713-3cb4-4ffc-a064-1dca3d1cca01\",\n \"known_false_positives\": \"Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.\",\n \"name\": \"aws detect permanent key creation\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey \\\"userIdentity.type\\\"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"asset_type\": \"AWS Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_detect_permanent_key_creation_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-27\",\n \"description\": \"This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.\",\n \"how_to_implement\": \"You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"5f04081e-ddee-4353-afe4-504f288de9ad\",\n \"known_false_positives\": \"CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.\",\n \"name\": \"aws detect role creation\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"asset_type\": \"AWS Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_detect_role_creation_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-27\",\n \"description\": \"This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudtrail logs\",\n \"id\": \"8e565314-b6a2-46d8-9f05-1a34a176a662\",\n \"known_false_positives\": \"Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse.\",\n \"name\": \"aws detect sts assume role abuse\",\n \"references\": [],\n \"search\": \"`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"asset_type\": \"AWS Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_detect_sts_assume_role_abuse_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-27\",\n \"description\": \"This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.\",\n \"how_to_implement\": \"You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"85d7b35f-b8b5-4b01-916f-29b81e7a0551\",\n \"known_false_positives\": \"Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used.\",\n \"name\": \"aws detect sts get session token abuse\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"asset_type\": \"AWS Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1550\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Use Alternate Authentication Material\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_detect_sts_get_session_token_abuse_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"AWS Cryptomining\",\n \"id\": \"ced74200-8465-4bc3-bd2c-9a782eec6750\",\n \"version\": 1,\n \"date\": \"2018-03-08\",\n \"description\": \"Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.\",\n \"narrative\": \"Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \\\\\\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \\\\\\nhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \\\\\\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf\"\n ],\n \"tags\": {\n \"analytics_story\": \"AWS Cryptomining\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1535\",\n \"T1078.004\"\n ],\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\",\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Abnormally High AWS Instances Launched by User\",\n \"id\": \"2a9b80d3-6340-4345-b5ad-290bf5d0dac4\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \\\"-10m@m\\\") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter`\",\n \"known_false_positives\": \"Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"risk_score\": 40,\n \"risk_object_type\": \"user\",\n \"risk_object\": \"userName\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"abnormally_high_aws_instances_launched_by_user_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Started In Previously Unseen Region\",\n \"id\": \"ada0f478-84a8-4641-a3f3-d82362d6fd75\",\n \"version\": 1,\n \"date\": \"2018-02-23\",\n \"description\": \"This search looks for CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen AWS Regions\\\" support search only once to create of baseline of previously seen regions.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),\\\"-1d@d\\\"), \\\"Instance Started in a New Region\\\",\\\"Previously Seen Region\\\") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus=\\\"Instance Started in a New Region\\\" | `ec2_instance_started_in_previously_unseen_region_filter`\",\n \"known_false_positives\": \"It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Regions\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd63\",\n \"version\": 1,\n \"date\": \"2018-01-08\",\n \"description\": \"This search looks for CloudTrail events where an AWS instance is started and creates a baseline of most recent time (latest) and the first time (earliest) we've seen this region in our dataset grouped by the value awsRegion for the last 30 days\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"EC2 Instance Started In Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_started_in_previously_unseen_region_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Started With Previously Unseen AMI\",\n \"id\": \"347ec301-601b-48b9-81aa-9ddf9c829dd3\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"This search looks for EC2 instances being created with previously unseen AMIs.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen EC2 AMIs\\\" support search once to create a history of previously seen AMIs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter`\",\n \"known_false_positives\": \"After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen EC2 AMIs\",\n \"id\": \"bb1bd99d-1e93-45f1-9571-cfed42d372b9\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"This search builds a table of previously seen AMIs used to launch EC2 instances\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId as amiID | stats earliest(_time) as firstTime latest(_time) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\"\n ],\n \"detections\": [\n \"EC2 Instance Started With Previously Unseen AMI\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_started_with_previously_unseen_ami_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Started With Previously Unseen Instance Type\",\n \"id\": \"65541c80-03c7-4e05-83c8-1dcd57a2e1ad\",\n \"version\": 2,\n \"date\": \"2020-02-07\",\n \"description\": \"This search looks for EC2 instances being created with previously unseen instance types.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen EC2 Instance Types\\\" support search once to create a history of previously seen instance types.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value=\\\"m1.small\\\" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`\",\n \"known_false_positives\": \"It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen EC2 Instance Types\",\n \"id\": \"b8f029f2-65a6-4d76-be98-dad1c9d59c45\",\n \"version\": 1,\n \"date\": \"2018-03-08\",\n \"description\": \"This search builds a table of previously seen EC2 instance types\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instanceType as instanceType | fillnull value=\\\"m1.small\\\" instanceType | stats earliest(_time) as earliest latest(_time) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\"\n ],\n \"detections\": [\n \"EC2 Instance Started With Previously Unseen Instance Type\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_started_with_previously_unseen_instance_type_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Started With Previously Unseen User\",\n \"id\": \"22773e84-bac0-4595-b086-20d3f735b4f1\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for EC2 instances being created by users who have not created them before.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen EC2 Launches By User\\\" support search once to create a history of previously seen ARNs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter`\",\n \"known_false_positives\": \"It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen EC2 Launches By User\",\n \"id\": \"6c767ac0-0906-4355-9a83-927f5ee7bdad\",\n \"version\": 1,\n \"date\": \"2018-03-15\",\n \"description\": \"This search builds a table of previously seen ARNs that have launched a EC2 instance.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | rename userIdentity.arn as arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"EC2 Instance Started With Previously Unseen User\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_started_with_previously_unseen_user_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"AWS Network ACL Activity\",\n \"id\": \"2e8948a5-5239-406b-b56b-6c50ff268af4\",\n \"version\": 2,\n \"date\": \"2018-05-21\",\n \"description\": \"Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.\",\n \"narrative\": \"AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html\",\n \"https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/\"\n ],\n \"tags\": {\n \"analytics_story\": \"AWS Network ACL Activity\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"AWS Network Access Control List Created with All Open Ports\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d82362d6bd75\",\n \"version\": 1,\n \"date\": \"2017-01-10\",\n \"description\": \"The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your CloudTrail inputs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=CreateNetworkAclEntry | mvexpand requestParameters | mvexpand responseElements | search requestParameters.portRange.from=1024 requestParameters.portRange.to=65535 requestParameters.ruleAction=allow | rename userIdentity.arn as arn | rename requestParameters.networkAclId as networkAclId | table _time aws_account_id src userName arn networkAclId requestParameters.* responseElements.* | `aws_network_access_control_list_created_with_all_open_ports_filter`\",\n \"known_false_positives\": \"It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_network_access_control_list_created_with_all_open_ports_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Network Access Control List Deleted\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d82362d6fd75\",\n \"version\": 1,\n \"date\": \"2017-01-10\",\n \"description\": \"Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the CloudTrail logs to detect users deleting network ACLs.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `aws_network_access_control_list_deleted_filter`\",\n \"known_false_positives\": \"It's possible that a user has legitimately deleted a network ACL.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_network_access_control_list_deleted_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in blocked Outbound Traffic from your AWS\",\n \"id\": \"ada0f278-84a8-46w1-a3f1-w32372d4bd53\",\n \"version\": 1,\n \"date\": \"2018-05-07\",\n \"description\": \"This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of \\\"spike.\\\" The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \\\"Baseline of Blocked Outbound Connection\\\" support search once to create a history of previously seen blocked outbound connections.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as \\\"Blocked Destination IPs\\\", values(interface_id) as \\\"resourceId\\\" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`\",\n \"known_false_positives\": \"The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\",\n \"Suspicious AWS Traffic\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of blocked outbound traffic from AWS\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63da3782fd63\",\n \"version\": 1,\n \"date\": \"2018-05-07\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of outbound connections blocked in your VPC flow logs by each source IP address (IP address of your EC2 instances). Also recorded is the number of data points for each source IP. This table outputs to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your `VPC flow logs.`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | bucket _time span=1h | stats count as numberOfBlockedConnections by _time, src_ip | stats count(numberOfBlockedConnections) as numDataPoints, latest(numberOfBlockedConnections) as latestCount, avg(numberOfBlockedConnections) as avgBlockedConnections, stdev(numberOfBlockedConnections) as stdevBlockedConnections by src_ip | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\",\n \"Command and Control\",\n \"Suspicious AWS Traffic\"\n ],\n \"detections\": [\n \"Detect Spike in blocked Outbound Traffic from your AWS\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudwatchlogs:vpcflow\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudwatchlogs_vpcflow\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_blocked_outbound_traffic_from_your_aws_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in Network ACL Activity\",\n \"id\": \"ada0f478-84a8-4641-a1f1-e32372d4bd53\",\n \"version\": 1,\n \"date\": \"2018-05-21\",\n \"description\": \"This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \\\"Baseline of Network ACL Activity by ARN\\\" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter`\",\n \"known_false_positives\": \"The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 12\",\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Network ACL Activity by ARN\",\n \"id\": \"fc0edd96-ff2b-4810-9f1f-63da3783fd63\",\n \"version\": 1,\n \"date\": \"2018-05-21\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls that were related to network ACLs made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for network ACLs, edit the macro `network_acl_events`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\"\n ],\n \"detections\": [\n \"Detect Spike in Network ACL Activity\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)\",\n \"description\": \"This is a list of AWS event names that are associated with Network ACLs\",\n \"name\": \"network_acl_events\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_network_acl_activity_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"AWS Security Hub Alerts\",\n \"id\": \"2f2f610a-d64d-48c2-b57c-96722b49ab5a\",\n \"version\": 1,\n \"date\": \"2020-08-04\",\n \"description\": \"This story is focused around detecting Security Hub alerts generated from AWS\",\n \"narrative\": \"AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://aws.amazon.com/security-hub/features/\"\n ],\n \"tags\": {\n \"analytics_story\": \"AWS Security Hub Alerts\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Detect Spike in AWS Security Hub Alerts for EC2 Instance\",\n \"id\": \"2a9b80d3-6340-4345-b5ad-290bf5d0d222\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`aws_securityhub_firehose` \\\"findings{}.Resources{}.Type\\\"=AWSEC2Instance | rex field=findings{}.Resources{}.Id .*instance/(?.*) | rename instance as dest | bucket span=4h _time | stats count AS alerts by _time dest | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts|`detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`\",\n \"known_false_positives\": \"None\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Security Hub Alerts\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:securityhub:firehose\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_securityhub_firehose\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in AWS Security Hub Alerts for User\",\n \"id\": \"2a9b80d3-6220-4345-b5ad-290bf5d0d222\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`aws_securityhub_firehose` \\\"findings{}.Resources{}.Type\\\"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`\",\n \"known_false_positives\": \"None\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Security Hub Alerts\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:securityhub:firehose\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_securityhub_firehose\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_aws_security_hub_alerts_for_user_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"AWS Suspicious Provisioning Activities\",\n \"id\": \"3338b567-3804-4261-9889-cf0ca4753c7f\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.\",\n \"narrative\": \"Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to whitelist specific IPs (because they vary).\\\\\\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf\"\n ],\n \"tags\": {\n \"analytics_story\": \"AWS Suspicious Provisioning Activities\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"AWS Cloud Provisioning From Previously Unseen City\",\n \"id\": \"344a1778-0b25-490c-adb1-de8beddf59cd\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with \\\"Run\\\" or \\\"Create.\\\" \",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen AWS Provisioning Activity Sources\\\" support search once to create a history of previously seen locations that have provisioned AWS resources.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter`\",\n \"known_false_positives\": \"This is a strictly behavioral search, so we define \\\"false positive\\\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\\\\\\n This search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"risk_score\": 25,\n \"risk_object_type\": \"user\",\n \"risk_object\": \"user\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Provisioning Activity Sources\",\n \"id\": \"ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"detections\": [\n \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"AWS Cloud Provisioning From Previously Unseen City\",\n \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"AWS Cloud Provisioning From Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_cloud_provisioning_from_previously_unseen_city_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"id\": \"ceb8d3d8-06cb-49eb-beaf-829526e33ff0\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with \\\"Run\\\" or \\\"Create.\\\" \",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen AWS Provisioning Activity Sources\\\" support search once to create a history of previously seen locations that have provisioned AWS resources.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter`\",\n \"known_false_positives\": \"This is a strictly behavioral search, so we define \\\"false positive\\\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\\\\\\n This search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Provisioning Activity Sources\",\n \"id\": \"ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"detections\": [\n \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"AWS Cloud Provisioning From Previously Unseen City\",\n \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"AWS Cloud Provisioning From Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_cloud_provisioning_from_previously_unseen_country_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"id\": \"42e15012-ac14-4801-94f4-f1acbe64880b\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with \\\"Run\\\" or \\\"Create.\\\" \",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen AWS Provisioning Activity Sources\\\" support search once to create a history of previously seen locations that have provisioned AWS resources.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`\",\n \"known_false_positives\": \"This is a strictly behavioral search, so we define \\\"false positive\\\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\\\\\\n This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Provisioning Activity Sources\",\n \"id\": \"ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"detections\": [\n \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"AWS Cloud Provisioning From Previously Unseen City\",\n \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"AWS Cloud Provisioning From Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_cloud_provisioning_from_previously_unseen_ip_address_filter\"\n }\n ]\n },\n {\n \"name\": \"AWS Cloud Provisioning From Previously Unseen Region\",\n \"id\": \"7971d3df-da82-4648-a6e5-b5637bea5253\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with \\\"Run\\\" or \\\"Create.\\\"\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen AWS Provisioning Activity Sources\\\" support search once to create a history of previously seen locations that have provisioned AWS resources.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`\",\n \"known_false_positives\": \"This is a strictly behavioral search, so we define \\\"false positive\\\" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no \\\"false positives\\\" in a traditional sense, there is definitely lots of noise.\\\\\\n This search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Provisioning Activity Sources\",\n \"id\": \"ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"detections\": [\n \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"AWS Cloud Provisioning From Previously Unseen City\",\n \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"AWS Cloud Provisioning From Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_cloud_provisioning_from_previously_unseen_region_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"AWS User Monitoring\",\n \"id\": \"2e8948a5-5239-406b-b56b-6c50f1269af3\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.\",\n \"narrative\": \"It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\\\\\\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage. \\\\\\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\\\\\\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf\",\n \"https://redlock.io/blog/cryptojacking-tesla\"\n ],\n \"tags\": {\n \"analytics_story\": \"AWS User Monitoring\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect API activity from users without MFA\",\n \"id\": \"2a9b80d3-6340-4345-w5ad-212bf5d1dac4\",\n \"version\": 1,\n \"date\": \"2018-05-17\",\n \"description\": \"This search looks for CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them.\\\\\\nThis search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\\\\n1. \\\\\\n1. **Label:** AWS User ARN, **Field:** userIdentity.arn\\\\\\n1. \\\\\\n1. **Label:** AWS User Type, **Field:** userIdentity.type\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [| inputlookup aws_service_accounts | fields identity | rename identity as user]| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter`\",\n \"known_false_positives\": \"Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_api_activity_from_users_without_mfa_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect AWS API Activities From Unapproved Accounts\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d82362d4bd55\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for successful CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called \\\"Create a list of approved AWS service accounts\\\": run it once every 30 days to create and validate a list of service accounts.\\\\\\nThis search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\\\\n1. \\\\\\n1. **Label:** First Time, **Field:** firstTime\\\\\\n1. \\\\\\n1. **Label:** Last Time, **Field:** lastTime\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` errorCode=success | rename userName as identity | search NOT [| inputlookup identity_lookup_expanded | fields identity] | search NOT [| inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter`\",\n \"known_false_positives\": \"It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.AC\",\n \"ID.AM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Create a list of approved AWS service accounts\",\n \"id\": \"fc0edc95-ff2b-48b1-5f6f-63ga3789fd43\",\n \"version\": 2,\n \"date\": \"2018-12-03\",\n \"description\": \"This search looks for successful API activity in CloudTrail within the last 30 days, filters out known users from the identity table, and outputs values of users into `aws_service_accounts.csv` lookup file.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the service account entires in `aws_service_accounts.csv`, which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` errorCode=success | rename userName as identity | search NOT [inputlookup identity_lookup_expanded | fields identity] | stats count by identity | table identity | outputlookup aws_service_accounts | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect AWS API Activities From Unapproved Accounts\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_api_activities_from_unapproved_accounts_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect new API calls from user roles\",\n \"id\": \"22773e84-bac0-4595-b086-20d3f335b4f1\",\n \"version\": 1,\n \"date\": \"2018-04-16\",\n \"description\": \"This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously seen API call per user roles in CloudTrail\\\" support search once to create a history of previously seen user roles.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles| eval newApiCallfromUserRole=if(earliest>=relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user| stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter`\",\n \"known_false_positives\": \"It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen API call per user roles in CloudTrail\",\n \"id\": \"fc0edc95-fq2c-48b0-9f6f-63da3289fd03\",\n \"version\": 1,\n \"date\": \"2018-04-16\",\n \"description\": \"This search looks for successful API calls made by different user roles, then creates a baseline of the earliest and latest times we have encountered this user role. It also returns the name of the API call in our dataset--grouped by user role and name of the API call--that occurred within the last 30 days. In this support search, we are only looking for events where the user identity is Assumed Role.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user role entries in `previously_seen_api_calls_from_user_roles.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect new API calls from user roles\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_api_calls_from_user_roles_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in AWS API Activity\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d32362d4bd55\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\\\\\\nThis search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** AWS Event Name, **Field:** eventName\\\\\\n1. \\\\\\n1. **Label:** Number of API Calls, **Field:** numberOfApiCalls\\\\\\n1. \\\\\\n1. **Label:** Unique API Calls, **Field:** uniqueApisCalled\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter`\",\n \"known_false_positives\": \"\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of API Calls per User ARN\",\n \"id\": \"fc0edc96-ff2b-48b0-9f6f-63da3783fd63\",\n \"version\": 1,\n \"date\": \"2018-04-09\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect Spike in AWS API Activity\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_aws_api_activity_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in Security Group Activity\",\n \"id\": \"ada0f478-84a8-4641-a3f1-e32372d4bd53\",\n \"version\": 1,\n \"date\": \"2018-04-18\",\n \"description\": \"This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the \\\"Baseline of Security Group Activity by ARN\\\" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter`\",\n \"known_false_positives\": \"Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Security Group Activity by ARN\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63da3783fd63\",\n \"version\": 1,\n \"date\": \"2018-04-17\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation for the number of API calls related to security groups made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect Spike in Security Group Activity\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)\",\n \"description\": \"This macro is a list of AWS event names associated with security groups\",\n \"name\": \"security_group_api_calls\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_security_group_activity_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Brand Monitoring\",\n \"id\": \"91c676cf-0b23-438d-abee-f6335e1fce78\",\n \"version\": 1,\n \"date\": \"2017-12-19\",\n \"description\": \"Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.\",\n \"narrative\": \"While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\\\\\\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\\\\\\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.zerofox.com/blog/what-is-digital-risk-monitoring/\",\n \"https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/\",\n \"https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Brand Monitoring\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Abuse\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Monitor Email For Brand Abuse\",\n \"id\": \"b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8\",\n \"version\": 2,\n \"date\": \"2018-01-05\",\n \"description\": \"This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse.\",\n \"how_to_implement\": \"You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search \\\"ESCU - DNSTwist Domain Names\\\", which creates the permutations of the domain that will be checked for.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name(\\\"All_Email\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, \\\"@\\\") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"DNSTwist Domain Names\",\n \"id\": \"19f7d2ec-6028-4d01-bcdb-bda9a034c17f\",\n \"version\": 2,\n \"date\": \"2018-10-08\",\n \"description\": \"This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches.\",\n \"how_to_implement\": \"To successfully implement this search you need to update the file called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv` and `cim_corporate_web_domains.csv` from **Splunk\\\\_SA\\\\_CIM**.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse=\\\"true\\\" | table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"detections\": [\n \"Monitor Email For Brand Abuse\",\n \"Monitor DNS For Brand Abuse\",\n \"Monitor Web Traffic For Brand Abuse\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"monitor_email_for_brand_abuse_filter\"\n }\n ]\n },\n {\n \"name\": \"Monitor DNS For Brand Abuse\",\n \"id\": \"24dd17b1-e2fb-4c31-878c-d4f746595bfa\",\n \"version\": 1,\n \"date\": \"2017-09-23\",\n \"description\": \"This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse.\",\n \"how_to_implement\": \"You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search \\\"ESCU - DNSTwist Domain Names\\\", which creates the permutations of the domain that will be checked for.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\\\"DNS\\\")` | `security_content_ctime(firstTime)`| `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\",\n \"Actions on Objectives\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"DNSTwist Domain Names\",\n \"id\": \"19f7d2ec-6028-4d01-bcdb-bda9a034c17f\",\n \"version\": 2,\n \"date\": \"2018-10-08\",\n \"description\": \"This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches.\",\n \"how_to_implement\": \"To successfully implement this search you need to update the file called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv` and `cim_corporate_web_domains.csv` from **Splunk\\\\_SA\\\\_CIM**.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse=\\\"true\\\" | table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"detections\": [\n \"Monitor Email For Brand Abuse\",\n \"Monitor DNS For Brand Abuse\",\n \"Monitor Web Traffic For Brand Abuse\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true\",\n \"description\": \"This macro limits the output to only domains that are in the brand monitoring lookup file\",\n \"name\": \"brand_abuse_dns\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"monitor_dns_for_brand_abuse_filter\"\n }\n ]\n },\n {\n \"name\": \"Monitor Web Traffic For Brand Abuse\",\n \"id\": \"134da869-e264-4a8f-8d7e-fcd0ec88f301\",\n \"version\": 1,\n \"date\": \"2017-09-23\",\n \"description\": \"This search looks for Web requests to faux domains similar to the one that you want to have monitored for abuse.\",\n \"how_to_implement\": \"You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search \\\"ESCU - DNSTwist Domain Names\\\", which creates the permutations of the domain that will be checked for.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src | `drop_dm_object_name(\\\"Web\\\")` | `security_content_ctime(firstTime)` | `brand_abuse_web` | `monitor_web_traffic_for_brand_abuse_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"DNSTwist Domain Names\",\n \"id\": \"19f7d2ec-6028-4d01-bcdb-bda9a034c17f\",\n \"version\": 2,\n \"date\": \"2018-10-08\",\n \"description\": \"This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches.\",\n \"how_to_implement\": \"To successfully implement this search you need to update the file called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv` and `cim_corporate_web_domains.csv` from **Splunk\\\\_SA\\\\_CIM**.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse=\\\"true\\\" | table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"detections\": [\n \"Monitor Email For Brand Abuse\",\n \"Monitor DNS For Brand Abuse\",\n \"Monitor Web Traffic For Brand Abuse\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true\",\n \"description\": \"This macro limits the output to only domains that are in the brand monitoring lookup file\",\n \"name\": \"brand_abuse_web\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"monitor_web_traffic_for_brand_abuse_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Cloud Cryptomining\",\n \"id\": \"3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a\",\n \"version\": 1,\n \"date\": \"2019-10-02\",\n \"description\": \"Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.\",\n \"narrative\": \"Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \\\\\\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \\\\\\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \\\\\\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf\"\n ],\n \"tags\": {\n \"analytics_story\": \"Cloud Cryptomining\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1535\",\n \"T1078.004\"\n ],\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\",\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Abnormally High AWS Instances Launched by User - MLTK\",\n \"id\": \"dec41ad5-d579-42cb-b4c6-f5dbb778bbe5\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename \\\"IsOutlier(instances_launched)\\\" as isOutlier | where isOutlier=1\",\n \"known_false_positives\": \"Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Excessive AWS Instances Launched by User - MLTK\",\n \"id\": \"fa5634df-fb05-4b4b-aba0-6115138bb1ba\",\n \"version\": 1,\n \"date\": \"2019-11-14\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model for how many RunInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of RunInstances performed by a user in a small time window.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\\\\\\nIn addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\\\\\\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success `ec2_excessive_runinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | fit DensityFunction instances_launched threshold=0.0005 into ec2_excessive_runinstances_v1\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"Abnormally High AWS Instances Launched by User - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"abnormally_high_aws_instances_launched_by_user___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"Cloud Compute Instance Created By Previously Unseen User\",\n \"id\": \"76988f6a-3935-48f6-a9e5-6fca8b3ed843\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for cloud compute instances created by users who have not created them before.\",\n \"how_to_implement\": \"You must be ingesting the appropriate cloud-infrastructure logs and have the Security Research cloud data model (https://github.com/splunk/cloud-datamodel-security-research/) installed. Run the \\\"Previously Seen Cloud Compute Creations By User\\\" support search to create of baseline of previously seen users.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.action=run by Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | inputlookup append=t previously_seen_cloud_compute_creations_by_user | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by src_user | multireport [| table src_user, firstTime, lastTime | outputlookup previously_seen_cloud_compute_creations_by_user | where fact=fiction][| eval new_user=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_creations_by_user_search_window_begin_offset`), 1, 0) | where new_user=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table src_user, dest, firstTime, lastTime | `cloud_compute_instance_created_by_previously_unseen_user_filter`\",\n \"known_false_positives\": \"It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Cloud Compute Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Cloud Compute Creations By User\",\n \"id\": \"9fa1c205-4e08-4681-bb1b-d0943e734b85\",\n \"version\": 1,\n \"date\": \"2018-03-15\",\n \"description\": \"This search builds a table of previously seen users that have launched a cloud compute instance.\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_creations_by_user_input_filter` by Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_compute_creations_by_user | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Created By Previously Unseen User\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the user is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_compute_creations_by_user_search_window_begin_offset\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"cloud_compute_instance_created_by_previously_unseen_user_filter\"\n }\n ]\n },\n {\n \"name\": \"Cloud Compute Instance Created With Previously Unseen Image\",\n \"id\": \"bc24922d-987c-4645-b288-f8c73ec194c4\",\n \"version\": 1,\n \"date\": \"2018-10-12\",\n \"description\": \"This search looks for cloud compute instances being created with previously unseen image IDs.\",\n \"how_to_implement\": \"You must be ingesting the appropriate cloud-infrastructure logs and have the Security Research cloud data model (https://github.com/splunk/cloud-datamodel-security-research/) installed. Run the \\\"Previously Seen Cloud Compute Images\\\" support search to create a baseline of previously seen images.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `cloud_compute_instance_created_with_previously_unseen_image_filter` by Compute.image_id, Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | inputlookup append=t previously_seen_cloud_compute_images | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by image_id, src_user | multireport [| table image_id, firstTime, lastTime | outputlookup previously_seen_cloud_compute_images | where fact=fiction][| eval new_image=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_image_search_window_begin_offset`), 1, 0) | where new_image=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table image_id, dest, src_user, firstTime, lastTime\",\n \"known_false_positives\": \"After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Cloud Compute Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Cloud Compute Images\",\n \"id\": \"3782ad10-5ce2-46e2-b9c4-1de9ecd3aecc\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"This search builds a table of previously seen images used to launch cloud compute instances\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_image_input_filter` by Compute.image_id | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_compute_images | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Created With Previously Unseen Image\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the image is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_compute_image_search_window_begin_offset\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"cloud_compute_instance_created_with_previously_unseen_image_filter\"\n }\n ]\n },\n {\n \"name\": \"Cloud Compute Instance Created With Previously Unseen Instance Type\",\n \"id\": \"c6ddbf53-9715-49f3-bb4c-fb2e8a309cda\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"Find EC2 instances being created with previously unseen instance types.\",\n \"how_to_implement\": \"You must be ingesting the appropriate cloud-infrastructure logs and have the Security Research cloud data model (https://github.com/splunk/cloud-datamodel-security-research/) installed. Run the \\\" Previously Seen Cloud Compute Instance Types\\\" support search to create a baseline of previously seen regions.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.event_name=RunInstances `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` by Compute.instance_type, Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | inputlookup append=t previously_seen_cloud_compute_instance_types | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by instance_type, src_user | multireport [| table instance_type, firstTime, lastTime | outputlookup previously_seen_cloud_compute_instance_types | where fact=fiction][| eval new_type=if(firstTime >= relative_time(now(), `previously_seen_cloud_compute_instance_types_search_window_begin_offset`), 1, 0) | where new_type=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table instance_type, dest, src_user, firstTime, lastTime\",\n \"known_false_positives\": \"It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Cloud Compute Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Cloud Compute Instance Types\",\n \"id\": \"0ef13d46-164e-4cf5-816e-b3c0df170d00\",\n \"version\": 1,\n \"date\": \"2019-10-03\",\n \"description\": \"This search builds a table of previously seen cloud compute instance types\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_instance_types_input_filter` by Compute.instance_type | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_compute_instance_types | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Created With Previously Unseen Instance Type\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the instance type is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_compute_instance_types_search_window_begin_offset\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"cloud_compute_instance_created_with_previously_unseen_instance_type_filter\"\n }\n ]\n },\n {\n \"name\": \"Cloud Compute Instance Started In Previously Unused Region\",\n \"id\": \"fa4089e2-50e3-40f7-8469-d2cc1564ca59\",\n \"version\": 1,\n \"date\": \"2019-10-02\",\n \"description\": \"This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.\",\n \"how_to_implement\": \"You must be ingesting the appropriate cloud-infrastructure logs and have the Security Research cloud data model (https://github.com/splunk/cloud-datamodel-security-research/) installed. Run the \\\\\\\"Previously Seen Cloud Compute Instance Types\\\\\\\" support search to create a baseline of previously seen regions.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest) as dest from datamodel=Cloud_Infrastructure.Compute where Compute.event_name=RunInstances `cloud_compute_instance_started_in_previously_unused_region_filter` by Compute.region, Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | inputlookup append=t previously_seen_cloud_regions | stats min(firstTime) as firstTime max(lastTime) as lastTime, values(dest) as dest by region, src_user | multireport [| table region, firstTime, lastTime | outputlookup previously_seen_cloud_regions | where fact=fiction][| eval new_region=if(firstTime >= relative_time(now(), `previously_seen_cloud_regions_search_window_begin_offset`), 1, 0) | where new_region=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table region, dest, src_user, firstTime, lastTime\",\n \"known_false_positives\": \"It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Cloud Compute Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Cloud Regions\",\n \"id\": \"b5e232db-dec6-4db8-aaa1-dd5474521e40\",\n \"version\": 1,\n \"date\": \"2019-10-02\",\n \"description\": \"This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the last 30 days\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=start `previously_seen_cloud_regions_input_filter` by Compute.region | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_regions | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Started In Previously Unused Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the region is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_regions_search_window_begin_offset\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"cloud_compute_instance_started_in_previously_unused_region_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"ColdRoot MacOS RAT\",\n \"id\": \"bd91a2bc-d20b-4f44-a982-1bea98e86390\",\n \"version\": 1,\n \"date\": \"2019-01-09\",\n \"description\": \"Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.\",\n \"narrative\": \"Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before—a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\\\\\\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\\\\\\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.\",\n \"author\": \"Jose Hernandez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/\",\n \"https://objective-see.com/blog/blog_0x2A.html\",\n \"https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/\"\n ],\n \"tags\": {\n \"analytics_story\": \"ColdRoot MacOS RAT\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Osquery pack - ColdRoot detection\",\n \"id\": \"a6fffe5e-05c3-4c04-badc-887607fbb8dc\",\n \"version\": 1,\n \"date\": \"2019-01-29\",\n \"description\": \"This search looks for ColdRoot events from the osx-attacks osquery pack.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`\",\n \"known_false_positives\": \"There are no known false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"ColdRoot MacOS RAT\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 4\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.PT\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"osquery_pack___coldroot_detection_filter\"\n }\n ]\n },\n {\n \"name\": \"Processes Tapping Keyboard Events\",\n \"id\": \"2a371608-331d-4034-ae2c-21dda8f1d0ec\",\n \"version\": 1,\n \"date\": \"2019-01-25\",\n \"description\": \"This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id| dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`\",\n \"known_false_positives\": \"There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.\",\n \"tags\": {\n \"analytics_story\": [\n \"ColdRoot MacOS RAT\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 4\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.DP\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"processes_tapping_keyboard_events_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Collection and Staging\",\n \"id\": \"8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a\",\n \"version\": 1,\n \"date\": \"2020-02-03\",\n \"description\": \"Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. \",\n \"narrative\": \"A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\\\\\\n Attacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence. \\\\\\nUse the searches to detect and monitor suspicious behavior related to these activities.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/wiki/Collection\",\n \"https://attack.mitre.org/wiki/Technique/T1074\"\n ],\n \"tags\": {\n \"analytics_story\": \"Collection and Staging\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1036\",\n \"T1114.001\",\n \"T1114.002\"\n ],\n \"mitre_attack_technique\": [\n \"Masquerading\",\n \"Local Email Collection\",\n \"Remote Email Collection\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"Dragonfly 2.0\",\n \"APT28\",\n \"Magic Hound\",\n \"BRONZE BUTLER\",\n \"Windshift\",\n \"FIN4\",\n \"Leafminer\",\n \"Ke3chang\",\n \"APT1\",\n \"menuPass\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Email files written outside of the Outlook directory\",\n \"id\": \"ee18ed37-0802-4268-9435-b3b91aaa18xx\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\My Documents\\\\\\\\Outlook Files\\\\\\\\*\\\" Filesystem.file_path!=\\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Outlook*\\\" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name(\\\"Filesystem\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `email_files_written_outside_of_the_outlook_directory_filter` \",\n \"known_false_positives\": \"Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.\",\n \"tags\": {\n \"analytics_story\": [\n \"Collection and Staging\"\n ],\n \"mitre_attack_id\": [\n \"T1114.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Local Email Collection\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"email_files_written_outside_of_the_outlook_directory_filter\"\n }\n ]\n },\n {\n \"name\": \"Email servers sending high volume traffic to hosts\",\n \"id\": \"7f5fb3e1-4209-4914-90db-0ec21b556378\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \\\"email_server\\\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \\\"deviation_threshold\\\" field is a multiplying factor to control how much variation you're willing to tolerate. The \\\"minimum_data_samples\\\" field is the minimum number of connections of data samples required for the statistic to be valid.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name(\\\"All_Traffic\\\")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \\\"@d\\\"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), \\\"@d\\\"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), \\\"@d\\\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`\",\n \"known_false_positives\": \"The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.\",\n \"tags\": {\n \"analytics_story\": [\n \"Collection and Staging\"\n ],\n \"mitre_attack_id\": [\n \"T1114.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Email Collection\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"APT1\",\n \"FIN4\",\n \"APT28\",\n \"Dragonfly 2.0\",\n \"Ke3chang\",\n \"Leafminer\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"email_servers_sending_high_volume_traffic_to_hosts_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious writes to System Volume Information\",\n \"id\": \"cd6297cd-2bdd-4aa1-84aa-5d2f84228fac\",\n \"version\": 2,\n \"date\": \"2020-07-22\",\n \"description\": \"This search detects writes to the 'System Volume Information' folder by something other than the System process.\",\n \"how_to_implement\": \"You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\\\\ Volume\\\\ Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter`\",\n \"known_false_positives\": \"It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Collection and Staging\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_writes_to_system_volume_information_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious writes to windows Recycle Bin\",\n \"id\": \"b5541828-8ffd-4070-9d95-b3da4de924cb\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search detects writes to the recycle bin by a process other than explorer.exe.\",\n \"how_to_implement\": \"To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem` nodes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = \\\"*$Recycle.Bin*\\\" by Filesystem.process_id Filesystem.dest | `drop_dm_object_name(\\\"Filesystem\\\")`| search [| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != \\\"explorer.exe\\\" by Processes.process_id Processes.dest| `drop_dm_object_name(\\\"Processes\\\")` | table process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`\",\n \"known_false_positives\": \"Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Collection and Staging\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_writes_to_windows_recycle_bin_filter\"\n }\n ]\n },\n {\n \"name\": \"Hosts receiving high volume of network traffic from email server\",\n \"id\": \"7f5fb3e1-4209-4914-90db-0ec21b556368\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as \\\"email_server\\\" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The \\\"deviation_threshold\\\" field is a multiplying factor to control how much variation you're willing to tolerate. The \\\"minimum_data_samples\\\" field is the minimum number of connections of data samples required for the statistic to be valid.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name(\\\"All_Traffic\\\")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), \\\"@d\\\"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), \\\"@d\\\"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), \\\"@d\\\") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2) | table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`\",\n \"known_false_positives\": \"The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.\",\n \"tags\": {\n \"analytics_story\": [\n \"Collection and Staging\"\n ],\n \"mitre_attack_id\": [\n \"T1114.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Email Collection\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"APT1\",\n \"FIN4\",\n \"APT28\",\n \"Dragonfly 2.0\",\n \"Ke3chang\",\n \"Leafminer\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"hosts_receiving_high_volume_of_network_traffic_from_email_server_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Command and Control\",\n \"id\": \"943773c6-c4de-4f38-89a8-0b92f98804d8\",\n \"version\": 1,\n \"date\": \"2018-06-01\",\n \"description\": \"Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate command and control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.\",\n \"narrative\": \"Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\\\\\\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/wiki/Command_and_Control\",\n \"https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware\"\n ],\n \"tags\": {\n \"analytics_story\": \"Command and Control\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\",\n \"T1048\",\n \"T1095\",\n \"T1048.003\",\n \"T1071.001\"\n ],\n \"mitre_attack_technique\": [\n \"Web Protocols\",\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\",\n \"Non-Application Layer Protocol\",\n \"Exfiltration Over Alternative Protocol\",\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\",\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Rocke\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Gamaredon Group\",\n \"Threat Group-3390\",\n \"Cobalt Group\",\n \"Night Dragon\",\n \"APT18\",\n \"APT32\",\n \"Tropic Trooper\",\n \"APT28\",\n \"Turla\",\n \"no\",\n \"Rancor\",\n \"FIN8\",\n \"SilverTerrier\",\n \"APT38\",\n \"APT29\",\n \"Sandworm Team\",\n \"APT19\",\n \"APT37\",\n \"Machete\",\n \"APT33\",\n \"Orangeworm\",\n \"APT39\",\n \"Stealth Falcon\",\n \"Magic Hound\",\n \"Inception\",\n \"PLATINUM\",\n \"Dark Caracal\",\n \"Thrip\",\n \"APT3\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"OilRig\",\n \"FIN4\",\n \"TA505\",\n \"Ke3chang\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect Spike in blocked Outbound Traffic from your AWS\",\n \"id\": \"ada0f278-84a8-46w1-a3f1-w32372d4bd53\",\n \"version\": 1,\n \"date\": \"2018-05-07\",\n \"description\": \"This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of \\\"spike.\\\" The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \\\"Baseline of Blocked Outbound Connection\\\" support search once to create a history of previously seen blocked outbound connections.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as \\\"Blocked Destination IPs\\\", values(interface_id) as \\\"resourceId\\\" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`\",\n \"known_false_positives\": \"The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\",\n \"Suspicious AWS Traffic\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of blocked outbound traffic from AWS\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63da3782fd63\",\n \"version\": 1,\n \"date\": \"2018-05-07\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of outbound connections blocked in your VPC flow logs by each source IP address (IP address of your EC2 instances). Also recorded is the number of data points for each source IP. This table outputs to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your `VPC flow logs.`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | bucket _time span=1h | stats count as numberOfBlockedConnections by _time, src_ip | stats count(numberOfBlockedConnections) as numDataPoints, latest(numberOfBlockedConnections) as latestCount, avg(numberOfBlockedConnections) as avgBlockedConnections, stdev(numberOfBlockedConnections) as stdevBlockedConnections by src_ip | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\",\n \"Command and Control\",\n \"Suspicious AWS Traffic\"\n ],\n \"detections\": [\n \"Detect Spike in blocked Outbound Traffic from your AWS\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudwatchlogs:vpcflow\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudwatchlogs_vpcflow\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_blocked_outbound_traffic_from_your_aws_filter\"\n }\n ]\n },\n {\n \"name\": \"Clients Connecting to Multiple DNS Servers\",\n \"id\": \"74ec6f18-604b-4202-a567-86b2066be3ce\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.\",\n \"how_to_implement\": \"This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\\\\\\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** Distinct DNS Connections, **Field:** dest_count\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\\\"Network_Resolution\\\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter` \",\n \"known_false_positives\": \"It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\",\n \"Command and Control\",\n \"Suspicious DNS Traffic\",\n \"Host Redirection\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"APT33\",\n \"Thrip\",\n \"FIN8\",\n \"OilRig\",\n \"Lazarus Group\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"clients_connecting_to_multiple_dns_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect hosts connecting to dynamic domain providers\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6v5464g9f\",\n \"version\": 2,\n \"date\": \"2020-01-16\",\n \"description\": \"Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive command and control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, blacklists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.\",\n \"how_to_implement\": \"First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\\\\\\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Answer, **Field:** answer\\\\\\n1. \\\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\\\"DNS\\\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`\",\n \"known_false_positives\": \"Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"DNS Hijacking\",\n \"Suspicious DNS Traffic\",\n \"Dynamic DNS\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.\",\n \"name\": \"dynamic_dns_providers\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_hosts_connecting_to_dynamic_domain_providers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Large Outbound ICMP Packets\",\n \"id\": \"e9c102de-4d43-42a7-b1c8-8062ea297419\",\n \"version\": 2,\n \"date\": \"2018-06-01\",\n \"description\": \"This search looks for outbound ICMP packets with a packet size larger than 1,000 bytes. Various threat actors have been known to use ICMP as a command and control channel for their attack infrastructure. Large ICMP packets from an endpoint to a remote host may be indicative of this activity.\",\n \"how_to_implement\": \"In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in the `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\\\"All_Traffic\\\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`\",\n \"known_false_positives\": \"ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with command and control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the search to adjust the byte threshold or whitelist specific IP addresses, as necessary.\",\n \"tags\": {\n \"analytics_story\": [\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1095\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Non-Application Layer Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT29\",\n \"PLATINUM\",\n \"APT3\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_large_outbound_icmp_packets_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Long DNS TXT Record Response\",\n \"id\": \"05437c07-62f5-452e-afdc-04dd44815bb9\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic.\",\n \"how_to_implement\": \"To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\\\"DNS\\\")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as \\\"Source IP\\\", dest as \\\"Destination IP\\\", answer as \\\"DNS Answer\\\" anslen as \\\"Answer Length\\\" record_type as \\\"DNS Record Type\\\" firstTime as \\\"First Time\\\" lastTime as \\\"Last Time\\\" count as Count | table \\\"Source IP\\\" \\\"Destination IP\\\" \\\"DNS Answer\\\" \\\"DNS Record Type\\\" \\\"Answer Length\\\" Count \\\"First Time\\\" \\\"Last Time\\\" | `detect_long_dns_txt_record_response_filter`\",\n \"known_false_positives\": \"It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_long_dns_txt_record_response_filter\"\n }\n ]\n },\n {\n \"name\": \"Detection of DNS Tunnels\",\n \"id\": \"104658f4-afdc-499f-9719-17a43f9826f4\",\n \"version\": 2,\n \"date\": \"2017-09-18\",\n \"description\": \"This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic.\",\n \"how_to_implement\": \"To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` dc(\\\"DNS.query\\\") as count from datamodel=Network_Resolution where nodename=DNS \\\"DNS.message_type\\\"=\\\"QUERY\\\" NOT (`cim_corporate_web_domain_search(\\\"DNS.query\\\")`) NOT \\\"DNS.query\\\"=\\\"*.in-addr.arpa\\\" NOT (\\\"DNS.src_category\\\"=\\\"svc_infra_dns\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_webproxy\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_email*\\\" ) by \\\"DNS.src\\\",\\\"DNS.query\\\" | rename \\\"DNS.src\\\" as src \\\"DNS.query\\\" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc(\\\"DNS.answer\\\") as count from datamodel=Network_Resolution where nodename=DNS \\\"DNS.message_type\\\"=\\\"QUERY\\\" NOT (`cim_corporate_web_domain_search(\\\"DNS.query\\\")`) NOT \\\"DNS.query\\\"=\\\"*.in-addr.arpa\\\" NOT (\\\"DNS.src_category\\\"=\\\"svc_infra_dns\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_webproxy\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_email*\\\" ) by \\\"DNS.src\\\",\\\"DNS.answer\\\" | rename \\\"DNS.src\\\" as src \\\"DNS.answer\\\" as message | eval message=if(message==\\\"unknown\\\",\\\"\\\", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`\",\n \"known_false_positives\": \"It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detection_of_dns_tunnels_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Length Outliers - MLTK\",\n \"id\": \"85fbcfe8-9718-4911-adf6-7000d077a3a9\",\n \"version\": 2,\n \"date\": \"2020-01-22\",\n \"description\": \"This search allows you to identify DNS requests that are unusually large for the record type being requested in your environment.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of DNS Query Length - MLTK\\\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\\\\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Query Length, **Field:** query_length\\\\\\n1. \\\\\\n1. **Label:** Number of events, **Field:** count\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename \\\"IsOutlier(query_length)\\\" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter` \",\n \"known_false_positives\": \"If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of DNS Query Length - MLTK\",\n \"id\": \"c914844c-0ff5-4efc-8d44-c063443129ba\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which uses it to identify outliers in the length of the DNS query.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(\\\"DNS\\\")` | eval query_length = len(query) | fit DensityFunction query_length by record_type into dns_query_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Command and Control\",\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\"\n ],\n \"detections\": [\n \"DNS Query Length Outliers - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_length_outliers___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Length With High Standard Deviation\",\n \"id\": \"1a67f15a-f4ff-4170-84e9-08cf6f75d6f5\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | `drop_dm_object_name(\\\"DNS\\\")` | eval query_length = len(query) | table query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter` \",\n \"known_false_positives\": \"It's possible there can be long domain names that are legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_length_with_high_standard_deviation_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Requests Resolved by Unauthorized DNS Servers\",\n \"id\": \"1a67f15a-f4ff-4170-84e9-08cf6f75d6f6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.\",\n \"how_to_implement\": \"To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\\\"DNS\\\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` \",\n \"known_false_positives\": \"Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\",\n \"Command and Control\",\n \"Suspicious DNS Traffic\",\n \"Host Redirection\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 3\",\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.IP\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_requests_resolved_by_unauthorized_dns_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"Excessive DNS Failures\",\n \"id\": \"104658f4-afdc-499e-9719-17243f9826f1\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search identifies DNS query failures by counting the number of DNS responses that do not indicate success, and trigger on more than 50 occurrences.\",\n \"how_to_implement\": \"To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(\\\"DNS.query\\\") as queries from datamodel=Network_Resolution where nodename=DNS \\\"DNS.reply_code\\\"!=\\\"No Error\\\" \\\"DNS.reply_code\\\"!=\\\"NoError\\\" DNS.reply_code!=\\\"unknown\\\" NOT \\\"DNS.query\\\"=\\\"*.arpa\\\" \\\"DNS.query\\\"=\\\"*.*\\\" by \\\"DNS.src\\\",\\\"DNS.query\\\"| `drop_dm_object_name(\\\"DNS\\\")`| lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain| where isnull(domain)| lookup update=true alexa_lookup_by_str domain as query OUTPUT rank| where isnull(rank)| stats sum(count) as count mode(queries) as queries by src| `get_asset(src)`| where count>50 | `excessive_dns_failures_filter`\",\n \"known_false_positives\": \"It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"excessive_dns_failures_filter\"\n }\n ]\n },\n {\n \"name\": \"Prohibited Network Traffic Allowed\",\n \"id\": \"ce5a0962-849f-4720-a678-753fe6674479\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table \\\"lookup_interesting_ports\\\", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `prohibited_network_traffic_allowed_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Ransomware\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1048\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Alternative Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"prohibited_network_traffic_allowed_filter\"\n }\n ]\n },\n {\n \"name\": \"Protocol or Port Mismatch\",\n \"id\": \"54dc1265-2f74-4b6d-b30d-49eb506a31b3\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected.\",\n \"how_to_implement\": \"Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `protocol_or_port_mismatch_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"APT33\",\n \"Thrip\",\n \"FIN8\",\n \"OilRig\",\n \"Lazarus Group\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"protocol_or_port_mismatch_filter\"\n }\n ]\n },\n {\n \"name\": \"TOR Traffic\",\n \"id\": \"ea688274-9c06-4473-b951-e4cb7a5d7a45\",\n \"version\": 2,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for network traffic identified as The Onion Router (TOR), a benign anonymity network which can be abused for a variety of nefarious purposes.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `tor_traffic_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Ransomware\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Web Protocols\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"TA505\",\n \"Rocke\",\n \"APT39\",\n \"Tropic Trooper\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Inception\",\n \"APT41\",\n \"SilverTerrier\",\n \"Machete\",\n \"APT28\",\n \"WIRTE\",\n \"APT33\",\n \"FIN4\",\n \"Night Dragon\",\n \"APT18\",\n \"APT38\",\n \"Cobalt Group\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Rancor\",\n \"Orangeworm\",\n \"APT37\",\n \"Ke3chang\",\n \"Dark Caracal\",\n \"Turla\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"OilRig\",\n \"Magic Hound\",\n \"Gamaredon Group\",\n \"Stealth Falcon\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"tor_traffic_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Common Phishing Frameworks\",\n \"id\": \"9a64ab44-9214-4639-8163-7eaa2621bd61\",\n \"version\": 1,\n \"date\": \"2019-04-29\",\n \"description\": \"Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. \",\n \"narrative\": \"As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\\\\\\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.\",\n \"author\": \"Splunk Research Team, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://github.com/kgretzky/evilginx2\",\n \"https://attack.mitre.org/techniques/T1192/\",\n \"https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Common Phishing Frameworks\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1566.003\"\n ],\n \"mitre_attack_technique\": [\n \"Spearphishing via Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Dark Caracal\",\n \"Magic Hound\",\n \"OilRig\",\n \"FIN6\",\n \"Windshift\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect DNS requests to Phishing Sites leveraging EvilGinx2\",\n \"id\": \"24dd17b1-e2fb-4c31-878c-d4f226595bfa\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.\",\n \"how_to_implement\": \"You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app. \\\\\\n **Splunk>Phantom Playbook Integration**\\\\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\\\\n(Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`).\\\\\\n\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)`| rex field=query \\\".*?(?[^./:]+\\\\.(\\\\S{2,3}|\\\\S{2,3}.\\\\S{2,3}))$\\\" | stats count values(query) as query by domain dest src answer| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain]| join domain type=outer [| tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename \\\"Web.*\\\" as * | rex field=site \\\".*?(?[^./:]+\\\\.(\\\\S{2,3}|\\\\S{2,3}.\\\\S{2,3}))$\\\" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`\",\n \"known_false_positives\": \"If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains.\",\n \"tags\": {\n \"analytics_story\": [\n \"Common Phishing Frameworks\"\n ],\n \"mitre_attack_id\": [\n \"T1566.003\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 7\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.IP\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Spearphishing via Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"Windshift\",\n \"FIN6\",\n \"OilRig\",\n \"Dark Caracal\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"(query=outlook* AND query=login* AND query=account*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Outlook\",\n \"name\": \"evilginx_phishlets_outlook\"\n },\n {\n \"definition\": \"(query=login* AND query=www*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Office 365\",\n \"name\": \"evilginx_phishlets_0365\"\n },\n {\n \"definition\": \"(query=fls-na* AND query = www* AND query=images*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Amazon\",\n \"name\": \"evilginx_phishlets_amazon\"\n },\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"(query=api* AND query = github*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as GitHub\",\n \"name\": \"evilginx_phishlets_github\"\n },\n {\n \"definition\": \"(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as an AWS console\",\n \"name\": \"evilginx_phishlets_aws\"\n },\n {\n \"definition\": \"(query=www* AND query = m* AND query=static*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as FaceBook\",\n \"name\": \"evilginx_phishlets_facebook\"\n },\n {\n \"definition\": \"(query=accounts* AND query=ssl* AND query=www*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Google\",\n \"name\": \"evilginx_phishlets_google\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Container Implantation Monitoring and Investigation\",\n \"id\": \"aa0e28b1-0521-4b6f-9d2a-7b87e34af246\",\n \"version\": 1,\n \"date\": \"2020-02-20\",\n \"description\": \"Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.\",\n \"narrative\": \"Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.\",\n \"author\": \"Rod Soto, Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://github.com/splunk/cloud-datamodel-security-research\"\n ],\n \"tags\": {\n \"analytics_story\": \"Container Implantation Monitoring and Investigation\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1525\"\n ],\n \"mitre_attack_technique\": [\n \"Implant Container Image\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"GCP GCR container uploaded\",\n \"id\": \"4f00ca88-e766-4605-ac65-ae51c9fd185b\",\n \"version\": 1,\n \"date\": \"2020-02-20\",\n \"description\": \"This search show information on uploaded containers including source user, account, action, bucket name event name, http user agent, message and destination path.\",\n \"how_to_implement\": \"You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a subpub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model. Please also customize the `container_implant_gcp_detection_filter` macro to filter out the false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Rico Valdez, Splunk\",\n \"search\": \"|tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Storage where Storage.event_name=storage.objects.create by Storage.src_user Storage.account Storage.action Storage.bucket_name Storage.event_name Storage.http_user_agent Storage.msg Storage.object_path | `drop_dm_object_name(\\\"Storage\\\")` | `gcp_gcr_container_uploaded_filter` \",\n \"known_false_positives\": \"Uploading container is a normal behavior from developers or users with access to container registry. GCP GCR registers container upload as a Storage event, this search must be considered under the context of CONTAINER upload creation which automatically generates a bucket entry for destination path.\",\n \"tags\": {\n \"analytics_story\": [\n \"Container Implantation Monitoring and Investigation\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"GCP GCR Container\",\n \"mitre_attack_id\": [\n \"T1525\"\n ],\n \"mitre_attack_technique\": [\n \"Implant Container Image\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_gcr_container_uploaded_filter\"\n }\n ]\n },\n {\n \"name\": \"New container uploaded to AWS ECR\",\n \"id\": \"f0f70b40-f7ad-489d-9905-23d149da8099\",\n \"version\": 1,\n \"date\": \"2020-02-20\",\n \"description\": \"This searches show information on uploaded containers including source user, image id, source IP user type, http user agent, region, first time, last time of operation (PutImage). These searches are based on Cloud Infrastructure Data Model.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You must also install Cloud Infrastructure data model. Please also customize the `container_implant_aws_detection_filter` macro to filter out the false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Rico Valdez, Splunk\",\n \"search\": \"| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Compute where Compute.user_type!=\\\"AssumeRole\\\" AND Compute.http_user_agent=\\\"AWS Internal\\\" AND Compute.event_name=\\\"PutImage\\\" by Compute.image_id Compute.src_user Compute.src Compute.region Compute.msg Compute.user_type | `drop_dm_object_name(\\\"Compute\\\")` | `new_container_uploaded_to_aws_ecr_filter` \",\n \"known_false_positives\": \"Uploading container is a normal behavior from developers or users with access to container registry.\",\n \"tags\": {\n \"analytics_story\": [\n \"Container Implantation Monitoring and Investigation\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"AWS ECR container\",\n \"mitre_attack_id\": [\n \"T1525\"\n ],\n \"mitre_attack_technique\": [\n \"Implant Container Image\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"new_container_uploaded_to_aws_ecr_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Credential Dumping\",\n \"id\": \"854d78bf-d0e2-4f4e-b05c-640905f86d7a\",\n \"version\": 3,\n \"date\": \"2020-02-04\",\n \"description\": \"Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.\",\n \"narrative\": \"Credential dumping—gathering credentials from a target system, often hashed or encrypted—is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\\\\\\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\\\\\\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/wiki/Technique/T1003\",\n \"https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Credential Dumping\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1003\",\n \"T1059.001\",\n \"T1003.002\",\n \"T1003.001\",\n \"T1003.003\"\n ],\n \"mitre_attack_technique\": [\n \"OS Credential Dumping\",\n \"NTDS\",\n \"Security Account Manager\",\n \"LSASS Memory\",\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Stolen Pencil\",\n \"Cleaver\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"TA459\",\n \"FIN10\",\n \"Night Dragon\",\n \"APT32\",\n \"TEMP.Veles\",\n \"Patchwork\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Ke3chang\",\n \"Whitefly\",\n \"CopyKittens\",\n \"FIN8\",\n \"Sandworm Team\",\n \"Gallmaker\",\n \"APT29\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"Sowbug\",\n \"menuPass\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"Poseidon Group\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"Inception\",\n \"PLATINUM\",\n \"Leafminer\",\n \"Kimsuky\",\n \"Axiom\",\n \"Thrip\",\n \"APT3\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"TA505\",\n \"APT33\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Access LSASS Memory for Dump Creation\",\n \"id\": \"fb4c31b0-13e8-4155-8aa5-24de4b8d6717\",\n \"version\": 2,\n \"date\": \"2019-12-06\",\n \"description\": \"Detect memory dumping of the LSASS process.\",\n \"how_to_implement\": \"This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` \",\n \"known_false_positives\": \"Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"access_lsass_memory_for_dump_creation_filter\"\n }\n ]\n },\n {\n \"name\": \"Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass\",\n \"id\": \"c2590137-0b08-4985-9ec5-6ae23d92f63d\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"Monitor for changes of the ExecutionPolicy in the registry to the values \\\"unrestricted\\\" or \\\"bypass,\\\" which allows the execution of malicious scripts.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Registry node. You must also be ingesting logs with the fields registry_path, registry_key_name, and registry_value_name from your endpoints.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=*Software\\\\\\\\Microsoft\\\\\\\\Powershell\\\\\\\\1\\\\\\\\ShellIds\\\\\\\\Microsoft.PowerShell* Registry.registry_key_name=ExecutionPolicy (Registry.registry_value_name=Unrestricted OR Registry.registry_value_name=Bypass) by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempt_to_set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter` \",\n \"known_false_positives\": \"Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to \\\"unrestricted\\\" or \\\"bypass\\\" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\",\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"attempt_to_set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter\"\n }\n ]\n },\n {\n \"name\": \"Attempted Credential Dump From Registry via Reg exe\",\n \"id\": \"e9fb4a59-c5fb-440a-9f24-191fbc6b2911\",\n \"version\": 4,\n \"date\": \"2019-12-02\",\n \"description\": \"Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=reg.exe OR Processes.process_name=cmd.exe) Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\\\\\System* OR Processes.process=*HKLM\\\\\\\\Security* OR Processes.process=*HKLM\\\\\\\\System* OR Processes.process=*HKLM\\\\\\\\SAM*) by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Security Account Manager\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Threat Group-3390\",\n \"Ke3chang\",\n \"Soft Cell\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"menuPass\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"attempted_credential_dump_from_registry_via_reg_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Attempted Credential Dump From Registry via Reg exe - SSA\",\n \"id\": \"14038953-e5f2-4daf-acff-5452062baf03\",\n \"version\": 1,\n \"date\": \"2020-6-04\",\n \"description\": \"Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.\",\n \"how_to_implement\": \"You must be ingesting windows endpoint data that tracks process activity, including parent-child relationships from your endpoints.\",\n \"type\": \"SSA\",\n \"references\": [\n \"https://github.com/splunk/security-content/blob/55a17c65f9f56c2220000b62701765422b46125d/detections/attempted_credential_dump_from_registry_via_reg_exe.yml\"\n ],\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \" | from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)) | eval process_name=lower(ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null)), cmd_line=ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null), dest_user_id=ucast(map_get(input_event, \\\"dest_user_id\\\"), \\\"string\\\", null), dest_device_id=ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null) | where process_name=\\\"cmd.exe\\\" OR process_name=\\\"reg.exe\\\" | where cmd_line != null AND match_regex(cmd_line, /(?i)save\\\\s+/)=true AND ( match_regex(cmd_line, /(?i)HKLM\\\\\\\\Security/)=true OR match_regex(cmd_line, /(?i)HKLM\\\\\\\\SAM/)=true OR match_regex(cmd_line, /(?i)HKLM\\\\\\\\System/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\\\\\\\Security/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\\\\\\\SAM/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\\\\\\\System/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body = \\\"TBD\\\" | into write_ssa_detected_events(); \",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"risk_severity\": \"low\",\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"OS Credential Dumping\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Frankenstein\",\n \"APT32\",\n \"APT28\",\n \"Leviathan\",\n \"Sowbug\",\n \"Suckfly\",\n \"Poseidon Group\",\n \"Axiom\"\n ]\n }\n },\n {\n \"name\": \"Create Remote Thread into LSASS\",\n \"id\": \"67d4dbef-9564-4699-8da8-03a151529edc\",\n \"version\": 1,\n \"date\": \"2019-12-06\",\n \"description\": \"Detect remote thread creation into LSASS consistent with credential dumping.\",\n \"how_to_implement\": \"This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`\",\n \"known_false_positives\": \"Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"create_remote_thread_into_lsass_filter\"\n }\n ]\n },\n {\n \"name\": \"Creation of Shadow Copy\",\n \"id\": \"eb120f5f-b879-4a63-97c1-93352b5df844\",\n \"version\": 1,\n \"date\": \"2019-12-10\",\n \"description\": \"Monitor for signs that Ntdsutil, Vssadmin, or Wmic has been used to create a shadow copy.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) OR (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`\",\n \"known_false_positives\": \"Legtimate administrator usage of Ntdsutil, Vssadmin, or Wmic will create false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"NTDS\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"FIN6\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"creation_of_shadow_copy_filter\"\n }\n ]\n },\n {\n \"name\": \"Creation of Shadow Copy with wmic and powershell\",\n \"id\": \"2ed8b538-d284-449a-be1d-82ad1dbd186b\",\n \"version\": 1,\n \"date\": \"2019-12-10\",\n \"description\": \"This search detects the use of wmic and Powershell to create a shadow copy.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic* OR Processes.process_name=powershell* Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`\",\n \"known_false_positives\": \"Legtimate administrator usage of wmic to create a shadow copy.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"NTDS\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"FIN6\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"creation_of_shadow_copy_with_wmic_and_powershell_filter\"\n }\n ]\n },\n {\n \"name\": \"Credential Dumping via Copy Command from Shadow Copy\",\n \"id\": \"d8c406fe-23d2-45f3-a983-1abe7b83ff3b\",\n \"version\": 1,\n \"date\": \"2019-12-10\",\n \"description\": \"This search detects credential dumping using copy command from a shadow copy.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process=*\\\\\\\\system32\\\\\\\\config\\\\\\\\sam* OR Processes.process=*\\\\\\\\system32\\\\\\\\config\\\\\\\\security* OR Processes.process=*\\\\\\\\system32\\\\\\\\config\\\\\\\\system* OR Processes.process=*\\\\\\\\windows\\\\\\\\ntds\\\\\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` \",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"NTDS\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"FIN6\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"credential_dumping_via_copy_command_from_shadow_copy_filter\"\n }\n ]\n },\n {\n \"name\": \"Credential Dumping via Symlink to Shadow Copy\",\n \"id\": \"c5eac648-fae0-4263-91a6-773df1f4c903\",\n \"version\": 1,\n \"date\": \"2019-12-10\",\n \"description\": \"This search detects the creation of a symlink to a shadow copy.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter` \",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"NTDS\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"FIN6\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"credential_dumping_via_symlink_to_shadow_copy_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Credential Dumping through LSASS access\",\n \"id\": \"2c365e57-4414-4540-8dc0-73ab10729996\",\n \"version\": 3,\n \"date\": \"2019-12-03\",\n \"description\": \"This search looks for reading lsass memory consistent with credential dumping.\",\n \"how_to_implement\": \"This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter` \",\n \"known_false_positives\": \"The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\",\n \"Detect Zerologon Attack\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_credential_dumping_through_lsass_access_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Dump LSASS Memory using comsvcs - SSA\",\n \"id\": \"76bb9e35-f314-4c3d-a385-83c72a13ce4e\",\n \"version\": 1,\n \"date\": \"2020-09-15\",\n \"description\": \"This search detects the memory of lsass.exe being dumped for offline credential theft attack.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including Windows command line logging. You can see how we test this with [Event Code 4688](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688a) on the [attack_range](https://github.com/splunk/attack_range/blob/develop/ansible/roles/windows_common/tasks/windows-enable-4688-cmd-line-audit.yml).\",\n \"type\": \"SSA\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| from read_ssa_enriched_events() | select from_json_object(value) as input_event | eval tenant=ucast(map_get(input_event, \\\"_tenant\\\"), \\\"string\\\", null), machine=ucast(map_get(input_event, \\\"dest_device_id\\\"), \\\"string\\\", null), process_name=lower(ucast(map_get(input_event, \\\"process_name\\\"), \\\"string\\\", null)), timestamp=parse_long(ucast(map_get(input_event, \\\"_time\\\"), \\\"string\\\", null)), process=lower(ucast(map_get(input_event, \\\"process\\\"), \\\"string\\\", null)) | where process_name LIKE \\\"%rundll32.exe%\\\" AND match_regex(process, /(?i)comsvcs.dll[,\\\\s]+MiniDump/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend(machine), body = \\\"TBD\\\" | into write_ssa_detected_events();\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"risk_severity\": \"low\",\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"NTDS\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"FIN6\",\n \"Dragonfly 2.0\"\n ]\n }\n },\n {\n \"name\": \"Detect Mimikatz Using Loaded Images\",\n \"id\": \"29e307ba-40af-4ab2-91b2-3c6b392bbba0\",\n \"version\": 1,\n \"date\": \"2019-12-03\",\n \"description\": \"This search looks for reading loaded Images unique to credential dumping with Mimikatz.\",\n \"how_to_implement\": \"This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by Computer, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`\",\n \"known_false_positives\": \"Other tools can import the same DLLs. These tools should be part of a whtelist.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\",\n \"Detect Zerologon Attack\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_mimikatz_using_loaded_images_filter\"\n }\n ]\n },\n {\n \"name\": \"Dump LSASS via comsvcs DLL\",\n \"id\": \"8943b567-f14d-4ee8-a0bb-2121d4ce3184\",\n \"version\": 1,\n \"date\": \"2020-02-21\",\n \"description\": \"Detect the usage of comsvcs.dll for dumping the lsass process.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\",\n \"https://twitter.com/SBousseaden/status/1167417096374050817\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dump_lsass_via_comsvcs_dll_filter\"\n }\n ]\n },\n {\n \"name\": \"Unsigned Image Loaded by LSASS\",\n \"id\": \"56ef054c-76ef-45f9-af4a-a634695dcd65\",\n \"version\": 1,\n \"date\": \"2019-12-06\",\n \"description\": \"This search detects loading of unsigned images by LSASS.\",\n \"how_to_implement\": \"This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by Computer, Image, ImageLoaded, Signed, SHA1 | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter` \",\n \"known_false_positives\": \"Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unsigned_image_loaded_by_lsass_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Data Protection\",\n \"id\": \"91c676cf-0b23-438d-abee-f6335e1fce33\",\n \"version\": 1,\n \"date\": \"2017-09-14\",\n \"description\": \"Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.\",\n \"narrative\": \"Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.cisecurity.org/controls/data-protection/\",\n \"https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022\",\n \"https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Data Protection\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"Tropic Trooper\",\n \"APT18\",\n \"APT39\",\n \"FIN7\",\n \"APT41\",\n \"OilRig\",\n \"Cobalt Group\",\n \"Ke3chang\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect USB device insertion\",\n \"id\": \"104658f4-afdc-499f-9719-17a43f9826f5\",\n \"version\": 1,\n \"date\": \"2017-11-27\",\n \"description\": \"The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework.\",\n \"how_to_implement\": \"To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result=\\\"Removable Storage device\\\" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name(\\\"All_Changes\\\")`| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_usb_device_insertion_filter`\",\n \"known_false_positives\": \"Legitimate USB activity will also be detected. Please verify and investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_usb_device_insertion_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect hosts connecting to dynamic domain providers\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6v5464g9f\",\n \"version\": 2,\n \"date\": \"2020-01-16\",\n \"description\": \"Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive command and control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, blacklists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.\",\n \"how_to_implement\": \"First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\\\\\\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Answer, **Field:** answer\\\\\\n1. \\\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\\\"DNS\\\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`\",\n \"known_false_positives\": \"Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"DNS Hijacking\",\n \"Suspicious DNS Traffic\",\n \"Dynamic DNS\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.\",\n \"name\": \"dynamic_dns_providers\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_hosts_connecting_to_dynamic_domain_providers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detection of DNS Tunnels\",\n \"id\": \"104658f4-afdc-499f-9719-17a43f9826f4\",\n \"version\": 2,\n \"date\": \"2017-09-18\",\n \"description\": \"This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic.\",\n \"how_to_implement\": \"To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` dc(\\\"DNS.query\\\") as count from datamodel=Network_Resolution where nodename=DNS \\\"DNS.message_type\\\"=\\\"QUERY\\\" NOT (`cim_corporate_web_domain_search(\\\"DNS.query\\\")`) NOT \\\"DNS.query\\\"=\\\"*.in-addr.arpa\\\" NOT (\\\"DNS.src_category\\\"=\\\"svc_infra_dns\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_webproxy\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_email*\\\" ) by \\\"DNS.src\\\",\\\"DNS.query\\\" | rename \\\"DNS.src\\\" as src \\\"DNS.query\\\" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc(\\\"DNS.answer\\\") as count from datamodel=Network_Resolution where nodename=DNS \\\"DNS.message_type\\\"=\\\"QUERY\\\" NOT (`cim_corporate_web_domain_search(\\\"DNS.query\\\")`) NOT \\\"DNS.query\\\"=\\\"*.in-addr.arpa\\\" NOT (\\\"DNS.src_category\\\"=\\\"svc_infra_dns\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_webproxy\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_email*\\\" ) by \\\"DNS.src\\\",\\\"DNS.answer\\\" | rename \\\"DNS.src\\\" as src \\\"DNS.answer\\\" as message | eval message=if(message==\\\"unknown\\\",\\\"\\\", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`\",\n \"known_false_positives\": \"It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detection_of_dns_tunnels_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Detect Zerologon Attack\",\n \"id\": \"5d14a962-569e-4578-939f-f386feb63ce4\",\n \"version\": 1,\n \"date\": \"2020-09-18\",\n \"description\": \"Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.\",\n \"narrative\": \"This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.\",\n \"author\": \"Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/wiki/Technique/T1003\",\n \"https://github.com/SecuraBV/CVE-2020-1472\",\n \"https://www.secura.com/blog/zero-logon\",\n \"https://nvd.nist.gov/vuln/detail/CVE-2020-1472\"\n ],\n \"tags\": {\n \"analytics_story\": \"Detect Zerologon Attack\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1210\",\n \"T1003.001\",\n \"T1190\"\n ],\n \"mitre_attack_technique\": [\n \"Exploit Public-Facing Application\",\n \"LSASS Memory\",\n \"Exploitation of Remote Services\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\",\n \"Lateral Movement\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Soft Cell\",\n \"Lazarus Group\",\n \"Stolen Pencil\",\n \"Cleaver\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Threat Group-3390\",\n \"Night Dragon\",\n \"APT32\",\n \"TEMP.Veles\",\n \"APT28\",\n \"Ke3chang\",\n \"Whitefly\",\n \"FIN8\",\n \"Sandworm Team\",\n \"Silence\",\n \"Blue Mockingbird\",\n \"APT39\",\n \"Magic Hound\",\n \"PLATINUM\",\n \"Leafminer\",\n \"Axiom\",\n \"APT3\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"BlackTech\",\n \"Rocke\",\n \"APT33\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect Computer Changed with Anonymous Account\",\n \"id\": \"1400624a-d42d-484d-8843-e6753e6e3645\",\n \"version\": 1,\n \"date\": \"2020-09-18\",\n \"description\": \"This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account.\",\n \"how_to_implement\": \"This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/\"\n ],\n \"author\": \"Rod Soto, Jose Hernandez, Splunk\",\n \"search\": \"`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName=\\\"ANONYMOUS LOGON\\\" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`\",\n \"known_false_positives\": \"None thus far found\",\n \"tags\": {\n \"analytics_story\": [\n \"Detect Zerologon Attack\"\n ],\n \"mitre_attack_id\": [\n \"T1210\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Exploitation of Remote Services\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Threat Group-3390\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_computer_changed_with_anonymous_account_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Credential Dumping through LSASS access\",\n \"id\": \"2c365e57-4414-4540-8dc0-73ab10729996\",\n \"version\": 3,\n \"date\": \"2019-12-03\",\n \"description\": \"This search looks for reading lsass memory consistent with credential dumping.\",\n \"how_to_implement\": \"This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter` \",\n \"known_false_positives\": \"The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\",\n \"Detect Zerologon Attack\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_credential_dumping_through_lsass_access_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Mimikatz Using Loaded Images\",\n \"id\": \"29e307ba-40af-4ab2-91b2-3c6b392bbba0\",\n \"version\": 1,\n \"date\": \"2019-12-03\",\n \"description\": \"This search looks for reading loaded Images unique to credential dumping with Mimikatz.\",\n \"how_to_implement\": \"This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by Computer, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`\",\n \"known_false_positives\": \"Other tools can import the same DLLs. These tools should be part of a whtelist.\",\n \"tags\": {\n \"analytics_story\": [\n \"Credential Dumping\",\n \"Detect Zerologon Attack\"\n ],\n \"mitre_attack_id\": [\n \"T1003.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"LSASS Memory\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Whitefly\",\n \"Blue Mockingbird\",\n \"Silence\",\n \"Threat Group-3390\",\n \"Leviathan\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Stolen Pencil\",\n \"APT32\",\n \"Lazarus Group\",\n \"Leafminer\",\n \"Magic Hound\",\n \"MuddyWater\",\n \"PLATINUM\",\n \"FIN8\",\n \"BRONZE BUTLER\",\n \"OilRig\",\n \"FIN6\",\n \"APT3\",\n \"APT28\",\n \"APT1\",\n \"Ke3chang\",\n \"Cleaver\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_mimikatz_using_loaded_images_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Zerologon via Zeek\",\n \"id\": \"bf7a06ec-f703-11ea-adc1-0242ac120002\",\n \"version\": 1,\n \"date\": \"2020-09-15\",\n \"description\": \"This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC\",\n \"how_to_implement\": \"You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.secura.com/blog/zero-logon\",\n \"https://github.com/SecuraBV/CVE-2020-1472\",\n \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472\"\n ],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3) | bin span=5m _time | stats values(operation) dc(operation) as opscount count(eval(operation==\\\"NetrServerReqChallenge\\\")) as challenge count(eval(operation==\\\"NetrServerAuthenticate3\\\")) as authcount count(eval(operation==\\\"NetrServerPasswordSet2\\\")) as passcount count as totalcount by _time,src_ip,dest_ip | search opscount=3 authcount>4 passcount>0 | search `detect_zerologon_via_zeek_filter`\",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Detect Zerologon Attack\"\n ],\n \"mitre_attack_id\": [\n \"T1190\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Network\",\n \"mitre_attack_technique\": [\n \"Exploit Public-Facing Application\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Rocke\",\n \"APT39\",\n \"BlackTech\",\n \"APT41\",\n \"Soft Cell\",\n \"Night Dragon\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"index=zeek sourcetype=\\\"zeek:rpc:json\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"zeek_rpc\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_zerologon_via_zeek_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"DHS Report TA18-074A\",\n \"id\": \"0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef\",\n \"version\": 2,\n \"date\": \"2020-01-22\",\n \"description\": \"Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.\",\n \"narrative\": \"The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity. \\\\\\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure. \\\\\\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\\\\\\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.us-cert.gov/ncas/alerts/TA18-074A\"\n ],\n \"tags\": {\n \"analytics_story\": \"DHS Report TA18-074A\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1136.001\",\n \"T1059.003\",\n \"T1112\",\n \"T1021.002\",\n \"T1543.003\",\n \"T1059.001\",\n \"T1071.002\",\n \"T1547.001\",\n \"T1053.005\",\n \"T1562.004\"\n ],\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\",\n \"Scheduled Task\",\n \"File Transfer Protocols\",\n \"Windows Command Shell\",\n \"Registry Run Keys / Startup Folder\",\n \"Local Account\",\n \"Modify Registry\",\n \"Disable or Modify System Firewall\",\n \"PowerShell\",\n \"Windows Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Command And Control\",\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Putter Panda\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Rocke\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Honeybee\",\n \"Gamaredon Group\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"TA459\",\n \"APT18\",\n \"FIN10\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"TEMP.Veles\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Rancor\",\n \"CopyKittens\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"SilverTerrier\",\n \"APT38\",\n \"Gallmaker\",\n \"APT29\",\n \"Sowbug\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"Machete\",\n \"APT-C-36\",\n \"APT33\",\n \"Poseidon Group\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"admin@338\",\n \"Orangeworm\",\n \"Inception\",\n \"Leafminer\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Carbanak\",\n \"Thrip\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"Leviathan\",\n \"OilRig\",\n \"Threat Group-1314\",\n \"FIN6\",\n \"TA505\",\n \"Ke3chang\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Create local admin accounts using net exe\",\n \"id\": \"b89919ed-fe5f-492c-b139-151bb162040e\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the creation of local administrator accounts using net.exe.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND (Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`create_local_admin_accounts_using_net_exe_filter` \",\n \"known_false_positives\": \"Administrators often leverage net.exe to create admin accounts.\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1136.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Local Account\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"APT41\",\n \"Dragonfly 2.0\",\n \"Leafminer\",\n \"APT3\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"create_local_admin_accounts_using_net_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect New Local Admin account\",\n \"id\": \"b25f6f62-0712-43c1-b203-083231ffd97d\",\n \"version\": 2,\n \"date\": \"2020-07-08\",\n \"description\": \"This search looks for newly created accounts that have been elevated to local administrators.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_security` EventID=4720 OR (EventID=4732 Group_Name=Administrators) | transaction MemberSid connected=false maxspan=180m | rename MemberSid as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`\",\n \"known_false_positives\": \"The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not \\\"Administrators\\\", this search may generate an excessive number of false positives\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1136.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Windows\",\n \"mitre_attack_technique\": [\n \"Local Account\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"APT41\",\n \"Dragonfly 2.0\",\n \"Leafminer\",\n \"APT3\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_local_admin_account_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect PsExec With accepteula Flag\",\n \"id\": \"b89919ed-fe5f-492c-b139-151xb162040e\",\n \"version\": 2,\n \"date\": \"2019-02-26\",\n \"description\": \"This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = PsExec.exe Processes.process = \\\"*accepteula*\\\" by Processes.process_name Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`\",\n \"known_false_positives\": \"Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\",\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\",\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\",\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_psexec_with_accepteula_flag_filter\"\n }\n ]\n },\n {\n \"name\": \"First time seen command line argument\",\n \"id\": \"9be56c82-b1cc-4318-87eb-q138afaaqa39\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. Please make sure you run the support search \\\"Previously seen command line arguments,\\\"—which creates a lookup file called `previously_seen_cmd_line_arguments.csv`—a historical baseline of all command-line arguments. You must also validate this list. For the search to do accurate calculation, ensure the search scheduling is the same value as the `relative_time` evaluation function.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` \",\n \"known_false_positives\": \"Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Suspicious Command-Line Executions\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Hidden Cobra Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\",\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\",\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\",\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_command_line_argument_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process - Execution Policy Bypass\",\n \"id\": \"9be56c82-b1cc-4318-87eb-d138afaaca39\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe AND (Processes.process=\\\"* -ex*\\\" OR Processes.process=\\\"* bypass *\\\") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`\",\n \"known_false_positives\": \"There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process___execution_policy_bypass_filter\"\n }\n ]\n },\n {\n \"name\": \"Processes launching netsh\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dbb162040e\",\n \"version\": 3,\n \"date\": \"2020-07-10\",\n \"description\": \"This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Josef Kuepker, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.user Processes.dest |`drop_dm_object_name(\\\"Processes\\\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`\",\n \"known_false_positives\": \"Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.\",\n \"tags\": {\n \"analytics_story\": [\n \"Netsh Abuse\",\n \"Disabling Security Tools\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1562.004\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Disable or Modify System Firewall\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Lazarus Group\",\n \"Kimsuky\",\n \"Dragonfly 2.0\",\n \"Carbanak\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of SMB Traffic - MLTK\",\n \"id\": \"df98763b-0b08-4281-8ef9-08db7ac572a9\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.\",\n \"how_to_implement\": \"You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \\\"src\\\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(\\\"All_Traffic\\\")` | fit DensityFunction count by \\\"HourOfDay,DayOfWeek\\\" into smb_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Ransomware\"\n ],\n \"detections\": [\n \"Processes launching netsh\",\n \"SMB Traffic Spike - MLTK\"\n ]\n }\n },\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"processes_launching_netsh_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Persistence\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01a4b\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for modifications to registry keys that can be used to launch an application or service at system startup.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\\\\\\\run* OR Registry.registry_path=*currentVersion\\\\\\\\Windows\\\\\\\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet* OR Registry.registry_path=*currentversion\\\\\\\\policies\\\\\\\\explorer\\\\\\\\run* OR Registry.registry_path=*currentversion\\\\\\\\runservices* OR Registry.registry_path=*\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\* OR Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\" OR Registry.registry_path=HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Netsh\\\\\\\\*) by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_persistence_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Suspicious MSHTA Activity\",\n \"DHS Report TA18-074A\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Windows Persistence Techniques\",\n \"Emotet Malware DHS Report TA18-201A \"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_persistence_filter\"\n }\n ]\n },\n {\n \"name\": \"Sc exe Manipulating Windows Services\",\n \"id\": \"f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\\\"* create *\\\" OR Processes.process=\\\"* config *\\\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`\",\n \"known_false_positives\": \"Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"DHS Report TA18-074A\",\n \"Orangeworm Attack Group\",\n \"Windows Persistence Techniques\",\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1543.003\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"DarkVishnya\",\n \"Wizard Spider\",\n \"APT32\",\n \"APT41\",\n \"Kimsuky\",\n \"Tropic Trooper\",\n \"Cobalt Group\",\n \"Ke3chang\",\n \"Honeybee\",\n \"FIN7\",\n \"Threat Group-3390\",\n \"APT19\",\n \"APT3\",\n \"Lazarus Group\",\n \"Carbanak\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"sc_exe_manipulating_windows_services_filter\"\n }\n ]\n },\n {\n \"name\": \"Scheduled Task Name Used by Dragonfly Threat Actors\",\n \"id\": \"d5af132c-7c17-439c-9d31-13d55340f36c\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for flags passed to schtasks.exe on the command-line that indicate a task name associated with the Dragonfly threat actor was created or deleted.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search (process=*delete* OR process=*create*) process=*reset* | `scheduled_task_name_used_by_dragonfly_threat_actors_filter` \",\n \"known_false_positives\": \"No known false positives\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1053.005\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Scheduled Task\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT-C-36\",\n \"BRONZE BUTLER\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Silence\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Dragonfly 2.0\",\n \"Patchwork\",\n \"OilRig\",\n \"Rancor\",\n \"Cobalt Group\",\n \"FIN8\",\n \"menuPass\",\n \"FIN10\",\n \"APT32\",\n \"FIN7\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"APT3\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"scheduled_task_name_used_by_dragonfly_threat_actors_filter\"\n }\n ]\n },\n {\n \"name\": \"Single Letter Process On Endpoint\",\n \"id\": \"a4214f0b-e01c-41bc-8cc4-d2b71e3056b4\",\n \"version\": 2,\n \"date\": \"2019-04-01\",\n \"description\": \"This search looks for process names that consist only of a single letter.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == \\\".exe\\\", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter`\",\n \"known_false_positives\": \"Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process.\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"single_letter_process_on_endpoint_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Reg exe Process\",\n \"id\": \"a6b3ab4e-dd77-4213-95fa-fc94701995e0\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://car.mitre.org/wiki/CAR-2013-03-001\"\n ],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter` \",\n \"known_false_positives\": \"It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Disabling Security Tools\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1112\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Modify Registry\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Turla\",\n \"APT32\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Honeybee\",\n \"Patchwork\",\n \"Gorgon Group\",\n \"FIN8\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_reg_exe_process_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Outbound SMB Traffic\",\n \"id\": \"7f5fb3e1-4209-414-90db-0ec21b936378\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for outbound SMB connections made by hosts within your network to the Internet. SMB traffic is used for Windows file-sharing activity. One of the techniques often used by attackers involves retrieving the credential hash using an SMB request made to a compromised server controlled by the threat actor.\",\n \"how_to_implement\": \"In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have good understanding of how your network segments are designed, and be able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest values(All_Traffic.action) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb) by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\\\"All_Traffic\\\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_outbound_smb_traffic_filter` \",\n \"known_false_positives\": \"It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1071.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"File Transfer Protocols\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"SilverTerrier\",\n \"Machete\",\n \"Honeybee\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_outbound_smb_traffic_filter\"\n }\n ]\n },\n {\n \"name\": \"SMB Traffic Spike\",\n \"id\": \"7f5fb3e1-4209-4914-90db-0ec21b936378\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for spikes in the number of Server Message Block (SMB) traffic connections.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\\\"All_Traffic\\\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \\\"-70m@m\\\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter` \",\n \"known_false_positives\": \"A file server may experience high-demand loads that could cause this analytic to trigger.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1021.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT32\",\n \"Orangeworm\",\n \"FIN8\",\n \"APT3\",\n \"Lazarus Group\",\n \"Threat Group-1314\",\n \"Turla\",\n \"Deep Panda\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"smb_traffic_spike_filter\"\n }\n ]\n },\n {\n \"name\": \"SMB Traffic Spike - MLTK\",\n \"id\": \"d25773ba-9ad8-48d1-858e-07ad0bbeb828\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search uses the Machine Learning Toolkit (MLTK) to identify spikes in the number of Server Message Block (SMB) connections.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of SMB Traffic - MLTK\\\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\\\\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \\\\\\n1. **Label:** Number of events, **Field:** count\\\\\\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \\\"IsOutlier(count)\\\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter` \",\n \"known_false_positives\": \"If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1021.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT32\",\n \"Orangeworm\",\n \"FIN8\",\n \"APT3\",\n \"Lazarus Group\",\n \"Threat Group-1314\",\n \"Turla\",\n \"Deep Panda\",\n \"Ke3chang\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of SMB Traffic - MLTK\",\n \"id\": \"df98763b-0b08-4281-8ef9-08db7ac572a9\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.\",\n \"how_to_implement\": \"You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \\\"src\\\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(\\\"All_Traffic\\\")` | fit DensityFunction count by \\\"HourOfDay,DayOfWeek\\\" into smb_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Ransomware\"\n ],\n \"detections\": [\n \"Processes launching netsh\",\n \"SMB Traffic Spike - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"smb_traffic_spike___mltk_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Disabling Security Tools\",\n \"id\": \"fcc27099-46a0-46b0-a271-5c7dab56b6f1\",\n \"version\": 2,\n \"date\": \"2020-02-04\",\n \"description\": \"Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.\",\n \"narrative\": \"Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a blacklist (which would prevent them from running).\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/wiki/Technique/T1089\",\n \"https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/\",\n \"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf\"\n ],\n \"tags\": {\n \"analytics_story\": \"Disabling Security Tools\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1553.004\",\n \"T1562.001\",\n \"T1112\",\n \"T1543.003\",\n \"T1562.004\"\n ],\n \"mitre_attack_technique\": [\n \"Install Root Certificate\",\n \"Disable or Modify Tools\",\n \"Modify Registry\",\n \"Disable or Modify System Firewall\",\n \"Windows Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"Putter Panda\",\n \"Dragonfly 2.0\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Gamaredon Group\",\n \"BRONZE BUTLER\",\n \"APT41\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Cobalt Group\",\n \"Night Dragon\",\n \"APT32\",\n \"Tropic Trooper\",\n \"Patchwork\",\n \"Turla\",\n \"no\",\n \"FIN8\",\n \"APT38\",\n \"Silence\",\n \"APT19\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Gorgon Group\",\n \"Kimsuky\",\n \"Carbanak\",\n \"APT3\",\n \"Wizard Spider\",\n \"Rocke\",\n \"Ke3chang\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Attempt To Add Certificate To Untrusted Store\",\n \"id\": \"6bc5243e-ef36-45dc-9b12-f4a6be131159\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"Attempt to add a certificate to the untrusted certificate store\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe (Processes.process=*-addstore* AND Processes.process=*disallowed* ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`\",\n \"known_false_positives\": \"There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems.\",\n \"tags\": {\n \"analytics_story\": [\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1553.004\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Install Root Certificate\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"attempt_to_add_certificate_to_untrusted_store_filter\"\n }\n ]\n },\n {\n \"name\": \"Attempt To Stop Security Service\",\n \"id\": \"c8e349c6-b97c-486e-8949-bd7bcd1f3910\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for attempts to stop security-related services on the endpoint.\",\n \"how_to_implement\": \"You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. The search is shipped with a lookup file, `security_services.csv`, that can be edited to update the list of services to monitor. This lookup file can be edited directly where it lives in `$SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/lookups`, or via the Splunk console. You should add the names of services an attacker might use on the command line and surround with asterisks (*****), so that they work properly when searching the command line. The file should be updated with the names of any services you would like to monitor for attempts to stop the service.,\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = net.exe OR Processes.process_name = sc.exe) Processes.process=\\\"* stop *\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`\",\n \"known_false_positives\": \"None identified. Attempts to disable security-related services should be identified and understood.\",\n \"tags\": {\n \"analytics_story\": [\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1562.001\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Disable or Modify Tools\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"BRONZE BUTLER\",\n \"Rocke\",\n \"Kimsuky\",\n \"Turla\",\n \"Night Dragon\",\n \"Gorgon Group\",\n \"Lazarus Group\",\n \"Putter Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"attempt_to_stop_security_service_filter\"\n }\n ]\n },\n {\n \"name\": \"Processes launching netsh\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dbb162040e\",\n \"version\": 3,\n \"date\": \"2020-07-10\",\n \"description\": \"This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Josef Kuepker, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.user Processes.dest |`drop_dm_object_name(\\\"Processes\\\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`\",\n \"known_false_positives\": \"Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.\",\n \"tags\": {\n \"analytics_story\": [\n \"Netsh Abuse\",\n \"Disabling Security Tools\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1562.004\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Disable or Modify System Firewall\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Lazarus Group\",\n \"Kimsuky\",\n \"Dragonfly 2.0\",\n \"Carbanak\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of SMB Traffic - MLTK\",\n \"id\": \"df98763b-0b08-4281-8ef9-08db7ac572a9\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.\",\n \"how_to_implement\": \"You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \\\"src\\\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(\\\"All_Traffic\\\")` | fit DensityFunction count by \\\"HourOfDay,DayOfWeek\\\" into smb_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Ransomware\"\n ],\n \"detections\": [\n \"Processes launching netsh\",\n \"SMB Traffic Spike - MLTK\"\n ]\n }\n },\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"processes_launching_netsh_filter\"\n }\n ]\n },\n {\n \"name\": \"Sc exe Manipulating Windows Services\",\n \"id\": \"f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\\\"* create *\\\" OR Processes.process=\\\"* config *\\\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`\",\n \"known_false_positives\": \"Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"DHS Report TA18-074A\",\n \"Orangeworm Attack Group\",\n \"Windows Persistence Techniques\",\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1543.003\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"DarkVishnya\",\n \"Wizard Spider\",\n \"APT32\",\n \"APT41\",\n \"Kimsuky\",\n \"Tropic Trooper\",\n \"Cobalt Group\",\n \"Ke3chang\",\n \"Honeybee\",\n \"FIN7\",\n \"Threat Group-3390\",\n \"APT19\",\n \"APT3\",\n \"Lazarus Group\",\n \"Carbanak\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"sc_exe_manipulating_windows_services_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Reg exe Process\",\n \"id\": \"a6b3ab4e-dd77-4213-95fa-fc94701995e0\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://car.mitre.org/wiki/CAR-2013-03-001\"\n ],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter` \",\n \"known_false_positives\": \"It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Disabling Security Tools\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1112\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Modify Registry\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Turla\",\n \"APT32\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Honeybee\",\n \"Patchwork\",\n \"Gorgon Group\",\n \"FIN8\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_reg_exe_process_filter\"\n }\n ]\n },\n {\n \"name\": \"Unload Sysmon Filter Driver\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f665664g9f\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"Attackers often disable security tools to avoid detection. This search looks for the usage of process `fltMC.exe` to unload a Sysmon Driver that will stop sysmon from collecting the data.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. This search is also shipped with `unload_sysmon_filter_driver_filter` macro, update this macro to filter out false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe AND Processes.process=*unload* AND Processes.process=*SysmonDrv* by Processes.process_name Processes.process_id Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` |`unload_sysmon_filter_driver_filter`| table firstTime lastTime dest user count process_name process_id parent_process_name process\",\n \"known_false_positives\": \"\",\n \"tags\": {\n \"analytics_story\": [\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1562.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [\n \"Disable or Modify Tools\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"BRONZE BUTLER\",\n \"Rocke\",\n \"Kimsuky\",\n \"Turla\",\n \"Night Dragon\",\n \"Gorgon Group\",\n \"Lazarus Group\",\n \"Putter Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unload_sysmon_filter_driver_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"DNS Amplification Attacks\",\n \"id\": \"e8afd39e-3294-11e6-b39d-a45e60c6700\",\n \"version\": 1,\n \"date\": \"2016-09-13\",\n \"description\": \"DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.\",\n \"narrative\": \"The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\\\\\\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.us-cert.gov/ncas/alerts/TA13-088A\",\n \"https://www.imperva.com/learn/application-security/dns-amplification/\"\n ],\n \"tags\": {\n \"analytics_story\": \"DNS Amplification Attacks\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1498.002\"\n ],\n \"mitre_attack_technique\": [\n \"Reflection Amplification\"\n ],\n \"mitre_attack_tactics\": [\n \"Impact\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Large Volume of DNS ANY Queries\",\n \"id\": \"8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb\",\n \"version\": 1,\n \"date\": \"2017-09-20\",\n \"description\": \"The search is used to identify attempts to use your DNS Infrastructure for DDoS purposes via a DNS amplification attack leveraging ANY queries.\",\n \"how_to_implement\": \"To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where nodename=DNS \\\"DNS.message_type\\\"=\\\"QUERY\\\" \\\"DNS.record_type\\\"=\\\"ANY\\\" by \\\"DNS.dest\\\" | `drop_dm_object_name(\\\"DNS\\\")` | where count>200 | `large_volume_of_dns_any_queries_filter`\",\n \"known_false_positives\": \"Legitimate ANY requests may trigger this search, however it is unusual to see a large volume of them under typical circumstances. You may modify the threshold in the search to better suit your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Amplification Attacks\"\n ],\n \"mitre_attack_id\": [\n \"T1498.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 11\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"DNS Servers\",\n \"mitre_attack_technique\": [\n \"Reflection Amplification\"\n ],\n \"mitre_attack_tactics\": [\n \"Impact\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"large_volume_of_dns_any_queries_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"DNS Hijacking\",\n \"id\": \"8169f17b-ef68-4b59-aa28-586907301221\",\n \"version\": 1,\n \"date\": \"2020-02-04\",\n \"description\": \"Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.\",\n \"narrative\": \"Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\\\\\\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well. \\\\\\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days: \\\\\\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\\\\\\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\\\\\\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\\\\\\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well. \\\\\\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\\\\\\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\",\n \"https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/\",\n \"http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/\",\n \"https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"DNS Hijacking\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\",\n \"T1071.004\"\n ],\n \"mitre_attack_technique\": [\n \"DNS\",\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\",\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"Tropic Trooper\",\n \"APT18\",\n \"Thrip\",\n \"APT39\",\n \"Ke3chang\",\n \"FIN7\",\n \"Lazarus Group\",\n \"APT41\",\n \"OilRig\",\n \"FIN8\",\n \"Cobalt Group\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Clients Connecting to Multiple DNS Servers\",\n \"id\": \"74ec6f18-604b-4202-a567-86b2066be3ce\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.\",\n \"how_to_implement\": \"This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\\\\\\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** Distinct DNS Connections, **Field:** dest_count\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\\\"Network_Resolution\\\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter` \",\n \"known_false_positives\": \"It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\",\n \"Command and Control\",\n \"Suspicious DNS Traffic\",\n \"Host Redirection\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"APT33\",\n \"Thrip\",\n \"FIN8\",\n \"OilRig\",\n \"Lazarus Group\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"clients_connecting_to_multiple_dns_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect hosts connecting to dynamic domain providers\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6v5464g9f\",\n \"version\": 2,\n \"date\": \"2020-01-16\",\n \"description\": \"Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive command and control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, blacklists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.\",\n \"how_to_implement\": \"First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\\\\\\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Answer, **Field:** answer\\\\\\n1. \\\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\\\"DNS\\\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`\",\n \"known_false_positives\": \"Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"DNS Hijacking\",\n \"Suspicious DNS Traffic\",\n \"Dynamic DNS\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.\",\n \"name\": \"dynamic_dns_providers\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_hosts_connecting_to_dynamic_domain_providers_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Requests Resolved by Unauthorized DNS Servers\",\n \"id\": \"1a67f15a-f4ff-4170-84e9-08cf6f75d6f6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.\",\n \"how_to_implement\": \"To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\\\"DNS\\\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` \",\n \"known_false_positives\": \"Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\",\n \"Command and Control\",\n \"Suspicious DNS Traffic\",\n \"Host Redirection\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 3\",\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.IP\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_requests_resolved_by_unauthorized_dns_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS record changed\",\n \"id\": \"44d3a43e-dcd5-49f7-8356-5209bb369065\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"The search takes the DNS records and their answers results of the discovered_dns_records lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.\",\n \"how_to_implement\": \"To successfully implement this search you will need to ensure that DNS data is populating the `Network_Resolution` data model. It also requires that the `discover_dns_record` lookup table be populated by the included support search \\\"Discover DNS record\\\". \\\\\\n **Splunk>Phantom Playbook Integration**\\\\\\nIf Splunk>Phantom is also configured in your environment, a Playbook called \\\"DNS Hijack Enrichment\\\" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \\\\\\n(Playbook Link:`https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/`).\\\\\\n\",\n \"type\": \"ESCU\",\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| inputlookup discovered_dns_records.csv | rename answer as discovered_answer | join domain[|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as current_answer values(DNS.src) as src from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\\\"unknown\\\" DNS.answer!=\\\"\\\" by DNS.query | rename DNS.query as query | where query!=\\\"unknown\\\" | rex field=query \\\"(?\\\\w+\\\\.\\\\w+?)(?:$|/)\\\"] | makemv delim=\\\" \\\" answer | makemv delim=\\\" \\\" type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer | makemv current_answer | mvexpand current_answer | makemv discovered_answer | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter`\",\n \"known_false_positives\": \"Legitimate DNS changes can be detected in this search. Investigate, verify and update the list of provided current answers for the domains in question as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 3\",\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.IP\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Discover DNS records\",\n \"id\": \"c096f721-8842-42ce-bfc7-74bd8c72b7c3\",\n \"version\": 1,\n \"date\": \"2019-02-14\",\n \"description\": \"The search takes corporate and common cloud provider domains configured under `cim_corporate_email_domains.csv`, `cim_corporate_web_domains.csv`, and `cloud_domains.csv` finds their responses across the last 30 days from data in the `Network_Resolution ` datamodel, then stores the output under the `discovered_dns_records.csv` lookup\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting DNS logs, and populating the Network_Resolution data model. Also make sure that the cim_corporate_web_domains and cim_corporate_email_domains lookups are populated with the domains owned by your corporation\",\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| inputlookup cim_corporate_email_domains.csv | inputlookup append=T cim_corporate_web_domains.csv | inputlookup append=T cim_cloud_domains.csv | eval domain = trim(replace(domain, \\\"\\\\*\\\", \\\"\\\")) | join domain [|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as answer from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\\\"unknown\\\" DNS.answer!=\\\"\\\" by DNS.query | rename DNS.query as query | where query!=\\\"unknown\\\" | rex field=query \\\"(?\\\\w+\\\\.\\\\w+?)(?:$|/)\\\"] | makemv delim=\\\" \\\" answer | makemv delim=\\\" \\\" type | sort -count | table count,domain,type,query,answer | outputlookup createinapp=true discovered_dns_records.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\"\n ],\n \"detections\": [\n \"DNS record changed\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_record_changed_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Dynamic DNS\",\n \"id\": \"8169f17b-ef68-4b59-aae8-586907301221\",\n \"version\": 2,\n \"date\": \"2018-09-06\",\n \"description\": \"Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and blacklists.\",\n \"narrative\": \"Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and blacklists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\",\n \"https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/\",\n \"http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/\",\n \"https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Dynamic DNS\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1071.001\"\n ],\n \"mitre_attack_technique\": [\n \"Web Protocols\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"TA505\",\n \"Lazarus Group\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Gamaredon Group\",\n \"Threat Group-3390\",\n \"Cobalt Group\",\n \"Night Dragon\",\n \"APT18\",\n \"Tropic Trooper\",\n \"APT32\",\n \"APT28\",\n \"Turla\",\n \"Ke3chang\",\n \"Rancor\",\n \"SilverTerrier\",\n \"APT38\",\n \"Sandworm Team\",\n \"APT19\",\n \"APT37\",\n \"Machete\",\n \"Orangeworm\",\n \"APT39\",\n \"Stealth Falcon\",\n \"Magic Hound\",\n \"Inception\",\n \"Dark Caracal\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"OilRig\",\n \"FIN4\",\n \"Rocke\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect hosts connecting to dynamic domain providers\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6v5464g9f\",\n \"version\": 2,\n \"date\": \"2020-01-16\",\n \"description\": \"Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive command and control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, blacklists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.\",\n \"how_to_implement\": \"First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\\\\\\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Answer, **Field:** answer\\\\\\n1. \\\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\\\"DNS\\\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`\",\n \"known_false_positives\": \"Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"DNS Hijacking\",\n \"Suspicious DNS Traffic\",\n \"Dynamic DNS\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.\",\n \"name\": \"dynamic_dns_providers\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_hosts_connecting_to_dynamic_domain_providers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect web traffic to dynamic domain providers\",\n \"id\": \"134da869-e264-4a8f-8d7e-fcd01c18f301\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for web connections to dynamic DNS providers.\",\n \"how_to_implement\": \"This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\\\\\\nThis search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name(\\\"Web\\\")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`\",\n \"known_false_positives\": \"It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Dynamic DNS\"\n ],\n \"mitre_attack_id\": [\n \"T1071.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"DE.DP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Web Protocols\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"TA505\",\n \"Rocke\",\n \"APT39\",\n \"Tropic Trooper\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Inception\",\n \"APT41\",\n \"SilverTerrier\",\n \"Machete\",\n \"APT28\",\n \"WIRTE\",\n \"APT33\",\n \"FIN4\",\n \"Night Dragon\",\n \"APT18\",\n \"APT38\",\n \"Cobalt Group\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Rancor\",\n \"Orangeworm\",\n \"APT37\",\n \"Ke3chang\",\n \"Dark Caracal\",\n \"Turla\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"OilRig\",\n \"Magic Hound\",\n \"Gamaredon Group\",\n \"Stealth Falcon\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This is a description\",\n \"name\": \"dynamic_dns_web_traffic\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_web_traffic_to_dynamic_domain_providers_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Emotet Malware DHS Report TA18-201A \",\n \"id\": \"bb9f5ed2-916e-4364-bb6d-91c310efcf52\",\n \"version\": 1,\n \"date\": \"2020-01-27\",\n \"description\": \"Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.\",\n \"narrative\": \"The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/). For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants. \\\\\\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\\\\\\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. \",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.us-cert.gov/ncas/alerts/TA18-201A\",\n \"https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf\",\n \"https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Emotet Malware DHS Report TA18-201A \",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1072\",\n \"T1059.003\",\n \"T1021.002\",\n \"T1547.001\",\n \"T1566.001\"\n ],\n \"mitre_attack_technique\": [\n \"Spearphishing Attachment\",\n \"SMB/Windows Admin Shares\",\n \"Windows Command Shell\",\n \"Software Deployment Tools\",\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Lateral Movement\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Putter Panda\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Rocke\",\n \"Gamaredon Group\",\n \"APT41\",\n \"Naikon\",\n \"BRONZE BUTLER\",\n \"Honeybee\",\n \"Frankenstein\",\n \"TA459\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"Threat Group-3390\",\n \"APT18\",\n \"FIN10\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Ke3chang\",\n \"Rancor\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"APT38\",\n \"Sandworm Team\",\n \"Gallmaker\",\n \"APT29\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"Sowbug\",\n \"APT-C-36\",\n \"Machete\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"Orangeworm\",\n \"APT39\",\n \"admin@338\",\n \"Magic Hound\",\n \"Gorgon Group\",\n \"Inception\",\n \"PLATINUM\",\n \"Windshift\",\n \"APT12\",\n \"The White Company\",\n \"Elderwood\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"APT3\",\n \"Darkhotel\",\n \"Mofang\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"OilRig\",\n \"Threat Group-1314\",\n \"FIN6\",\n \"FIN4\",\n \"BlackTech\",\n \"TA505\",\n \"APT33\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Email Attachments With Lots Of Spaces\",\n \"id\": \"56e877a6-1455-4479-ada6-0550dc1e22f8\",\n \"version\": 2,\n \"date\": \"2017-09-19\",\n \"description\": \"Attackers often use spaces as a means to obfuscate an attachment's file extension. This search looks for messages with email attachments that have many spaces within the file names.\",\n \"how_to_implement\": \"You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. \\\\\\n **Splunk Phantom Playbook Integration**\\\\\\nIf Splunk Phantom is also configured in your environment, a playbook called \\\"Suspicious Email Attachment Investigate and Delete\\\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\\\"*\\\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Email\\\")` | eval space_ratio = (mvcount(split(file_name,\\\" \\\"))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address \\\"(?.*)@\\\" | `email_attachments_with_lots_of_spaces_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Suspicious Emails\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"email_attachments_with_lots_of_spaces_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Email Attachment Extensions\",\n \"id\": \"473bd65f-06ca-4dfe-a2b8-ba04ab4a0084\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for emails that have attachments with suspicious file extensions.\",\n \"how_to_implement\": \"You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \\\\\\n **Splunk Phantom Playbook Integration**\\\\\\nIf Splunk Phantom is also configured in your environment, a Playbook called \\\"Suspicious Email Attachment Investigate and Delete\\\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\\\"*\\\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Email\\\")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter` \",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Suspicious Emails\"\n ],\n \"mitre_attack_id\": [\n \"T1566.001\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Spearphishing Attachment\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"Windshift\",\n \"APT33\",\n \"Sandworm Team\",\n \"Naikon\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Mofang\",\n \"Wizard Spider\",\n \"RTM\",\n \"Frankenstein\",\n \"Inception\",\n \"BlackTech\",\n \"APT-C-36\",\n \"APT41\",\n \"Machete\",\n \"admin@338\",\n \"Kimsuky\",\n \"APT12\",\n \"TA505\",\n \"Silence\",\n \"The White Company\",\n \"APT39\",\n \"FIN4\",\n \"Darkhotel\",\n \"Gallmaker\",\n \"Tropic Trooper\",\n \"Turla\",\n \"Gorgon Group\",\n \"Rancor\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"FIN7\",\n \"OilRig\",\n \"Lazarus Group\",\n \"APT19\",\n \"Dragonfly 2.0\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"FIN8\",\n \"MuddyWater\",\n \"APT28\",\n \"TA459\",\n \"Leviathan\",\n \"Patchwork\",\n \"PLATINUM\",\n \"Elderwood\",\n \"APT29\",\n \"APT37\",\n \"menuPass\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true\",\n \"description\": \"This macro limits the output to email attachments that have suspicious extensions\",\n \"name\": \"suspicious_email_attachments\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_email_attachment_extensions_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Rare Executables\",\n \"id\": \"44fddcb2-8d3b-454c-874e-7c6de5a4f7ac\",\n \"version\": 5,\n \"date\": \"2020-03-16\",\n \"description\": \"This search will return a table of rare processes, the names of the systems running them, and the users who initiated each process.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts and populating the endpoint data model with the resultant dataset. The macro `filter_rare_process_whitelist` searches two lookup files to whitelist your processes. These consist of `rare_process_whitelist_default.csv` and `rare_process_whitelist_local.csv`. To add your own processes to the whitelist, add them to `rare_process_whitelist_local.csv`. If you wish to remove an entry from the default lookup file, you will have to modify the macro itself to set the whitelist value for that process to false. You can modify the limit parameter and search scheduling to better suit your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | rename Processes.process_name as process | rex field=user \\\"(?.*)\\\\\\\\\\\\\\\\(?.*)\\\" | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search [| tstats count from datamodel=Endpoint.Processes by Processes.process_name | rare Processes.process_name limit=30 | rename Processes.process_name as process| `filter_rare_process_whitelist`| table process ] | `detect_rare_executables_filter` \",\n \"known_false_positives\": \"Some legitimate processes may be only rarely executed in your environment. As these are identified, update `rare_process_whitelist_local.csv` to filter them out of your search results.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Unusual Processes\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.PT\",\n \"PR.DS\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup update=true lookup_rare_process_whitelist_default process as process OUTPUTNEW whitelist | where whitelist=\\\"false\\\" | lookup update=true lookup_rare_process_whitelist_local process as process OUTPUT whitelist | where whitelist=\\\"false\\\"\",\n \"description\": \"This macro is intended to whitelist processes that have been definied as rare\",\n \"name\": \"filter_rare_process_whitelist\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_rare_executables_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Use of cmd exe to Launch Script Interpreters\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dbb162039e\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\\\"cmd.exe\\\" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`\",\n \"known_false_positives\": \"Some legitimate applications may exhibit this behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Suspicious Command-Line Executions\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_use_of_cmd_exe_to_launch_script_interpreters_filter\"\n }\n ]\n },\n {\n \"name\": \"Detection of tools built by NirSoft\",\n \"id\": \"1297fb80-f42a-4q4a-9c8b-78c061417cf6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\\\"* /stext *\\\" OR Processes.process=\\\"* /scomma *\\\" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`\",\n \"known_false_positives\": \"While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \"\n ],\n \"mitre_attack_id\": [\n \"T1072\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Software Deployment Tools\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Silence\",\n \"APT32\",\n \"Threat Group-1314\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detection_of_tools_built_by_nirsoft_filter\"\n }\n ]\n },\n {\n \"name\": \"Prohibited Software On Endpoint\",\n \"id\": \"a51bfe1a-94f0-48cc-b4e4-b6ae50145893\",\n \"version\": 2,\n \"date\": \"2019-10-11\",\n \"description\": \"This search looks for applications on the endpoint that you have marked as prohibited.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings. In addition, you must also have only the `process_name` (not the entire process path) marked as \\\"prohibited\\\" in the Enterprise Security `interesting processes` table. To include the process names marked as \\\"prohibited\\\", which is included with ES Content Updates, run the included search Add Prohibited Processes to Enterprise Security.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_softwares` | `prohibited_software_on_endpoint_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor for Unauthorized Software\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Add Prohibited Processes to Enterprise Security\",\n \"id\": \"251930a5-1451-4428-bb13-eed5775be0ce\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search takes the existing interesting process table from ES, filters out any existing additions added by ESCU and then updates the table with processes identified by ESCU that should be prohibited on your endpoints.\",\n \"how_to_implement\": \"This search should be run on each new install of ESCU.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| inputlookup interesting_processes_lookup | search note!=ESCU* | inputlookup append=T prohibitedProcesses_lookup | fillnull value=* dest dest_pci_domain | fillnull value=false is_required is_secure | fillnull value=true is_prohibited | outputlookup interesting_processes_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Monitor for Unauthorized Software\",\n \"SamSam Ransomware\"\n ],\n \"detections\": [\n \"Prohibited Software On Endpoint\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup interesting_processes_lookup app as process_name OUTPUT is_prohibited | search is_prohibited=True\",\n \"description\": \"This macro limits the output to process_names that have been marked as prohibited\",\n \"name\": \"prohibited_softwares\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"prohibited_software_on_endpoint_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Persistence\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01a4b\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for modifications to registry keys that can be used to launch an application or service at system startup.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\\\\\\\run* OR Registry.registry_path=*currentVersion\\\\\\\\Windows\\\\\\\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet* OR Registry.registry_path=*currentversion\\\\\\\\policies\\\\\\\\explorer\\\\\\\\run* OR Registry.registry_path=*currentversion\\\\\\\\runservices* OR Registry.registry_path=*\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\* OR Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\" OR Registry.registry_path=HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Netsh\\\\\\\\*) by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_persistence_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Suspicious MSHTA Activity\",\n \"DHS Report TA18-074A\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Windows Persistence Techniques\",\n \"Emotet Malware DHS Report TA18-201A \"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_persistence_filter\"\n }\n ]\n },\n {\n \"name\": \"SMB Traffic Spike\",\n \"id\": \"7f5fb3e1-4209-4914-90db-0ec21b936378\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for spikes in the number of Server Message Block (SMB) traffic connections.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\\\"All_Traffic\\\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \\\"-70m@m\\\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter` \",\n \"known_false_positives\": \"A file server may experience high-demand loads that could cause this analytic to trigger.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1021.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT32\",\n \"Orangeworm\",\n \"FIN8\",\n \"APT3\",\n \"Lazarus Group\",\n \"Threat Group-1314\",\n \"Turla\",\n \"Deep Panda\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"smb_traffic_spike_filter\"\n }\n ]\n },\n {\n \"name\": \"SMB Traffic Spike - MLTK\",\n \"id\": \"d25773ba-9ad8-48d1-858e-07ad0bbeb828\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search uses the Machine Learning Toolkit (MLTK) to identify spikes in the number of Server Message Block (SMB) connections.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of SMB Traffic - MLTK\\\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\\\\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \\\\\\n1. **Label:** Number of events, **Field:** count\\\\\\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \\\"IsOutlier(count)\\\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter` \",\n \"known_false_positives\": \"If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1021.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT32\",\n \"Orangeworm\",\n \"FIN8\",\n \"APT3\",\n \"Lazarus Group\",\n \"Threat Group-1314\",\n \"Turla\",\n \"Deep Panda\",\n \"Ke3chang\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of SMB Traffic - MLTK\",\n \"id\": \"df98763b-0b08-4281-8ef9-08db7ac572a9\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.\",\n \"how_to_implement\": \"You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \\\"src\\\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(\\\"All_Traffic\\\")` | fit DensityFunction count by \\\"HourOfDay,DayOfWeek\\\" into smb_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Ransomware\"\n ],\n \"detections\": [\n \"Processes launching netsh\",\n \"SMB Traffic Spike - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"smb_traffic_spike___mltk_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"F5 TMUI RCE CVE-2020-5902\",\n \"id\": \"7678c968-d46e-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-08-02\",\n \"description\": \"Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.\",\n \"narrative\": \"A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult. The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)\",\n \"author\": \"Shannon Davis, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/\",\n \"https://support.f5.com/csp/article/K52145254\",\n \"https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/\"\n ],\n \"tags\": {\n \"analytics_story\": \"F5 TMUI RCE CVE-2020-5902\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1190\"\n ],\n \"mitre_attack_technique\": [\n \"Exploit Public-Facing Application\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Axiom\",\n \"Soft Cell\",\n \"APT39\",\n \"APT41\",\n \"BlackTech\",\n \"Rocke\",\n \"Night Dragon\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect F5 TMUI RCE CVE-2020-5902\",\n \"id\": \"810e4dbc-d46e-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-08-02\",\n \"description\": \"This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices\",\n \"how_to_implement\": \"To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/\",\n \"https://support.f5.com/csp/article/K52145254\",\n \"https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/\"\n ],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"`f5_bigip_rogue` | regex _raw=\\\"(hsqldb;|.*\\\\\\\\.\\\\\\\\.;.*)\\\" | search `detect_f5_tmui_rce_cve_2020_5902_filter`\",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"F5 TMUI RCE CVE-2020-5902\"\n ],\n \"mitre_attack_id\": [\n \"T1190\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Network\",\n \"mitre_attack_technique\": [\n \"Exploit Public-Facing Application\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Rocke\",\n \"APT39\",\n \"BlackTech\",\n \"APT41\",\n \"Soft Cell\",\n \"Night Dragon\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"index=netops sourcetype=\\\"f5:bigip:rogue\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"f5_bigip_rogue\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_f5_tmui_rce_cve_2020_5902_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"GCP Cross Account Activity\",\n \"id\": \"0432039c-ef41-4b03-b157-450c25dad1e6\",\n \"version\": 1,\n \"date\": \"2020-09-01\",\n \"description\": \"Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.\",\n \"narrative\": \"Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\\\\\\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\\\\\\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity. For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.\",\n \"author\": \"Rod Soto, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://cloud.google.com/iam/docs/understanding-service-accounts\"\n ],\n \"tags\": {\n \"analytics_story\": \"GCP Cross Account Activity\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"APT41\",\n \"Threat Group-3390\",\n \"Night Dragon\",\n \"FIN10\",\n \"APT18\",\n \"TEMP.Veles\",\n \"APT28\",\n \"FIN8\",\n \"Sandworm Team\",\n \"Silence\",\n \"menuPass\",\n \"Suckfly\",\n \"APT39\",\n \"Carbanak\",\n \"FIN5\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"FIN4\",\n \"PittyTiger\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-10-09\",\n \"description\": \"This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema.\",\n \"how_to_implement\": \"You must install splunk GCP add-on. This search works with gcp:pubsub:message logs\",\n \"id\": \"27af8c15-38b0-4408-b339-920170724adb\",\n \"known_false_positives\": \"Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization\",\n \"name\": \"GCP Detect accounts with high risk roles by project\",\n \"references\": [\n \"https://github.com/dxa4481/gcploit\",\n \"https://www.youtube.com/watch?v=Ml09R38jpok\",\n \"https://cloud.google.com/iam/docs/understanding-roles\"\n ],\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"GCP Cross Account Activity\"\n ],\n \"asset_type\": \"GCP Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_detect_accounts_with_high_risk_roles_by_project_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-10-08\",\n \"description\": \"This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts.\",\n \"how_to_implement\": \"You must install splunk GCP add-on. This search works with gcp:pubsub:message logs\",\n \"id\": \"a1c5a85e-a162-410c-a5d9-99ff639e5a52\",\n \"known_false_positives\": \"Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects\",\n \"name\": \"GCP Detect gcploit framework\",\n \"references\": [\n \"https://github.com/dxa4481/gcploit\",\n \"https://www.youtube.com/watch?v=Ml09R38jpok\"\n ],\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"GCP Cross Account Activity\"\n ],\n \"asset_type\": \"GCP Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_detect_gcploit_framework_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-10-09\",\n \"description\": \"This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.\",\n \"how_to_implement\": \"You must install splunk GCP add-on. This search works with gcp:pubsub:message logs\",\n \"id\": \"2e70ef35-2187-431f-aedc-4503dc9b06ba\",\n \"known_false_positives\": \"High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives.\",\n \"name\": \"GCP Detect high risk permissions by resource and account\",\n \"references\": [\n \"https://github.com/dxa4481/gcploit\",\n \"https://www.youtube.com/watch?v=Ml09R38jpok\",\n \"https://cloud.google.com/iam/docs/permissions-reference\"\n ],\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"GCP Cross Account Activity\"\n ],\n \"asset_type\": \"GCP Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_detect_high_risk_permissions_by_resource_and_account_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-09-01\",\n \"description\": \"This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.\",\n \"how_to_implement\": \"You must install splunk GCP add-on. This search works with gcp:pubsub:message logs\",\n \"id\": \"a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972\",\n \"known_false_positives\": \"GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs.\",\n \"name\": \"gcp detect oauth token abuse\",\n \"references\": [\n \"https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1\",\n \"https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2\"\n ],\n \"search\": \"`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"GCP Cross Account Activity\"\n ],\n \"asset_type\": \"GCP Account\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_detect_oauth_token_abuse_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Hidden Cobra Malware\",\n \"id\": \"baf7580b-d4b4-4774-8173-7d198e9da335\",\n \"version\": 2,\n \"date\": \"2020-01-22\",\n \"description\": \"Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.\",\n \"narrative\": \"North Korea's government-sponsored \\\"cyber army\\\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \\\"Hidden Cobra,\\\" has surreptitiously crept onto the collective radar as a preeminent global threat.\\\\\\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \\\"The Interview\\\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\\\\\\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \\\"Joanap,\\\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \\\"Brambul,\\\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\\\\\\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \\\"adnim$,\\\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity\",\n \"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf\"\n ],\n \"tags\": {\n \"analytics_story\": \"Hidden Cobra Malware\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\",\n \"T1021.001\",\n \"T1021.002\",\n \"T1071.004\",\n \"T1059.001\",\n \"T1071.002\"\n ],\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\",\n \"SMB/Windows Admin Shares\",\n \"DNS\",\n \"File Transfer Protocols\",\n \"Windows Command Shell\",\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\",\n \"Execution\",\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Stolen Pencil\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Honeybee\",\n \"Gamaredon Group\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"TA459\",\n \"APT18\",\n \"FIN10\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"TEMP.Veles\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Rancor\",\n \"CopyKittens\",\n \"FIN8\",\n \"SilverTerrier\",\n \"APT38\",\n \"Gallmaker\",\n \"APT29\",\n \"Sowbug\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"Machete\",\n \"APT33\",\n \"Poseidon Group\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"admin@338\",\n \"Orangeworm\",\n \"Inception\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Axiom\",\n \"Thrip\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"Leviathan\",\n \"OilRig\",\n \"Threat Group-1314\",\n \"FIN6\",\n \"TA505\",\n \"Ke3chang\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Create or delete windows shares using net exe\",\n \"id\": \"qw9919ed-fe5f-492c-b139-151bb162140e\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the creation or deletion of hidden shares using net.exe.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/techniques/T1077/\",\n \"https://attack.mitre.org/techniques/T1126/\"\n ],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processs.process_name=net.exe OR Processes.process_name=net1.exe) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` \",\n \"known_false_positives\": \"Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"create_or_delete_windows_shares_using_net_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"First time seen command line argument\",\n \"id\": \"9be56c82-b1cc-4318-87eb-q138afaaqa39\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. Please make sure you run the support search \\\"Previously seen command line arguments,\\\"—which creates a lookup file called `previously_seen_cmd_line_arguments.csv`—a historical baseline of all command-line arguments. You must also validate this list. For the search to do accurate calculation, ensure the search scheduling is the same value as the `relative_time` evaluation function.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` \",\n \"known_false_positives\": \"Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Suspicious Command-Line Executions\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Hidden Cobra Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\",\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\",\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\",\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_command_line_argument_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Desktop Process Running On System\",\n \"id\": \"f5939373-8054-40ad-8c64-cec478a22a4a\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. The search requires you to identify systems that do not commonly use remote desktop. You can use the included support search \\\"Identify Systems Using Remote Desktop\\\" to identify these systems. After identifying them, you will need to add the \\\"common_rdp_source\\\" category to that system using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in `SA-IdentityManagement/lookups`.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter` \",\n \"known_false_positives\": \"Remote Desktop may be used legitimately by users on the network.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 9\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_desktop_process_running_on_system_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious File Write\",\n \"id\": \"57f76b8a-32f0-42ed-b358-d9fa3ca7bac8\",\n \"version\": 3,\n \"date\": \"2019-04-25\",\n \"description\": \"The search looks for files created with names that have been linked to malicious activity.\",\n \"how_to_implement\": \"You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter`\",\n \"known_false_positives\": \"It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup suspicious_writes_lookup file as file_name OUTPUT note as \\\"Reference\\\" | search \\\"Reference\\\" != False\",\n \"description\": \"This macro limites the output to file names that have been marked as suspicious\",\n \"name\": \"suspicious_writes\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_file_write_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Outbound SMB Traffic\",\n \"id\": \"7f5fb3e1-4209-414-90db-0ec21b936378\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for outbound SMB connections made by hosts within your network to the Internet. SMB traffic is used for Windows file-sharing activity. One of the techniques often used by attackers involves retrieving the credential hash using an SMB request made to a compromised server controlled by the threat actor.\",\n \"how_to_implement\": \"In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have good understanding of how your network segments are designed, and be able to distinguish internal from external address space. Add a category named `internal` to the CIDRs that host the company's assets in `assets_by_cidr.csv` lookup file, which is located in `$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/`. More information on updating this lookup can be found here: https://docs.splunk.com/Documentation/ES/5.0.0/Admin/Addassetandidentitydata. This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest values(All_Traffic.action) from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb) by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(\\\"All_Traffic\\\")` | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `detect_outbound_smb_traffic_filter` \",\n \"known_false_positives\": \"It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1071.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"File Transfer Protocols\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"SilverTerrier\",\n \"Machete\",\n \"Honeybee\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_outbound_smb_traffic_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Length Outliers - MLTK\",\n \"id\": \"85fbcfe8-9718-4911-adf6-7000d077a3a9\",\n \"version\": 2,\n \"date\": \"2020-01-22\",\n \"description\": \"This search allows you to identify DNS requests that are unusually large for the record type being requested in your environment.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of DNS Query Length - MLTK\\\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\\\\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Query Length, **Field:** query_length\\\\\\n1. \\\\\\n1. **Label:** Number of events, **Field:** count\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename \\\"IsOutlier(query_length)\\\" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter` \",\n \"known_false_positives\": \"If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of DNS Query Length - MLTK\",\n \"id\": \"c914844c-0ff5-4efc-8d44-c063443129ba\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which uses it to identify outliers in the length of the DNS query.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(\\\"DNS\\\")` | eval query_length = len(query) | fit DensityFunction query_length by record_type into dns_query_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Command and Control\",\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\"\n ],\n \"detections\": [\n \"DNS Query Length Outliers - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_length_outliers___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Length With High Standard Deviation\",\n \"id\": \"1a67f15a-f4ff-4170-84e9-08cf6f75d6f5\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | `drop_dm_object_name(\\\"DNS\\\")` | eval query_length = len(query) | table query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter` \",\n \"known_false_positives\": \"It's possible there can be long domain names that are legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_length_with_high_standard_deviation_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Desktop Network Traffic\",\n \"id\": \"272b8407-842d-4b3d-bead-a704584003d3\",\n \"version\": 3,\n \"date\": \"2020-07-07\",\n \"description\": \"This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search allows for whitelisting both source and destination hosts to remove them from the output of the search so you can focus on the uncommon uses of remote desktop on your network.\",\n \"how_to_implement\": \"To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search \\\"Identify Systems Creating Remote Desktop Traffic\\\" to identify systems that originate the traffic and the search \\\"Identify Systems Receiving Remote Desktop Traffic\\\" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the \\\"common_rdp_source\\\" or \\\"common_rdp_destination\\\" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\\\"All_Traffic\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter` \",\n \"known_false_positives\": \"Remote Desktop may be used legitimately by users on the network.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Hidden Cobra Malware\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 9\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_desktop_network_traffic_filter\"\n }\n ]\n },\n {\n \"name\": \"SMB Traffic Spike\",\n \"id\": \"7f5fb3e1-4209-4914-90db-0ec21b936378\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for spikes in the number of Server Message Block (SMB) traffic connections.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\\\"All_Traffic\\\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \\\"-70m@m\\\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter` \",\n \"known_false_positives\": \"A file server may experience high-demand loads that could cause this analytic to trigger.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1021.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT32\",\n \"Orangeworm\",\n \"FIN8\",\n \"APT3\",\n \"Lazarus Group\",\n \"Threat Group-1314\",\n \"Turla\",\n \"Deep Panda\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"smb_traffic_spike_filter\"\n }\n ]\n },\n {\n \"name\": \"SMB Traffic Spike - MLTK\",\n \"id\": \"d25773ba-9ad8-48d1-858e-07ad0bbeb828\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search uses the Machine Learning Toolkit (MLTK) to identify spikes in the number of Server Message Block (SMB) connections.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of SMB Traffic - MLTK\\\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\\\\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \\\\\\n1. **Label:** Number of events, **Field:** count\\\\\\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \\\"IsOutlier(count)\\\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter` \",\n \"known_false_positives\": \"If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1021.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT32\",\n \"Orangeworm\",\n \"FIN8\",\n \"APT3\",\n \"Lazarus Group\",\n \"Threat Group-1314\",\n \"Turla\",\n \"Deep Panda\",\n \"Ke3chang\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of SMB Traffic - MLTK\",\n \"id\": \"df98763b-0b08-4281-8ef9-08db7ac572a9\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.\",\n \"how_to_implement\": \"You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \\\"src\\\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(\\\"All_Traffic\\\")` | fit DensityFunction count by \\\"HourOfDay,DayOfWeek\\\" into smb_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Ransomware\"\n ],\n \"detections\": [\n \"Processes launching netsh\",\n \"SMB Traffic Spike - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"smb_traffic_spike___mltk_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Host Redirection\",\n \"id\": \"2e8948a5-5239-406b-b56b-6c50fe268af4\",\n \"version\": 1,\n \"date\": \"2017-09-14\",\n \"description\": \"Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.\",\n \"narrative\": \"Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Host Redirection\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\",\n \"T1071.004\"\n ],\n \"mitre_attack_technique\": [\n \"DNS\",\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\",\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"Tropic Trooper\",\n \"APT18\",\n \"Thrip\",\n \"APT39\",\n \"Ke3chang\",\n \"FIN7\",\n \"Lazarus Group\",\n \"APT41\",\n \"OilRig\",\n \"FIN8\",\n \"Cobalt Group\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Windows hosts file modification\",\n \"id\": \"06a6fc63-a72d-41dc-8736-7e3dd9612116\",\n \"version\": 1,\n \"date\": \"2018-11-02\",\n \"description\": \"The search looks for modifications to the hosts file on all Windows endpoints across your environment.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\\\\\\\System32\\\\\\\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter`\",\n \"known_false_positives\": \"There may be legitimate reasons for system administrators to add entries to this file.\",\n \"tags\": {\n \"analytics_story\": [\n \"Host Redirection\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"windows_hosts_file_modification_filter\"\n }\n ]\n },\n {\n \"name\": \"Clients Connecting to Multiple DNS Servers\",\n \"id\": \"74ec6f18-604b-4202-a567-86b2066be3ce\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.\",\n \"how_to_implement\": \"This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\\\\\\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** Distinct DNS Connections, **Field:** dest_count\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\\\"Network_Resolution\\\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter` \",\n \"known_false_positives\": \"It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\",\n \"Command and Control\",\n \"Suspicious DNS Traffic\",\n \"Host Redirection\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"APT33\",\n \"Thrip\",\n \"FIN8\",\n \"OilRig\",\n \"Lazarus Group\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"clients_connecting_to_multiple_dns_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Requests Resolved by Unauthorized DNS Servers\",\n \"id\": \"1a67f15a-f4ff-4170-84e9-08cf6f75d6f6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.\",\n \"how_to_implement\": \"To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\\\"DNS\\\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` \",\n \"known_false_positives\": \"Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\",\n \"Command and Control\",\n \"Suspicious DNS Traffic\",\n \"Host Redirection\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 3\",\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.IP\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_requests_resolved_by_unauthorized_dns_servers_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"JBoss Vulnerability\",\n \"id\": \"1f5294cb-b85f-4c2d-9c58-ffcf248f52bd\",\n \"version\": 1,\n \"date\": \"2017-09-14\",\n \"description\": \"In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.\",\n \"narrative\": \"This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\\\\\\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\\\\\\nhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\\\\\\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\\\\\\nThe following factors may assist you in determining whether the event is malicious: \\\\\\n1. Country of origin\\\\\\n1. Responsible party\\\\\\n1. Fully qualified domain names associated with the external IP address\\\\\\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\\\\\\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\\\\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\\\\\\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\\\\\\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\\\\\\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\\\Windows\\\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. \\\\\\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"JBoss Vulnerability\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Vulnerability\"\n ],\n \"mitre_attack_id\": [\n \"T1082\"\n ],\n \"mitre_attack_technique\": [\n \"System Information Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Lazarus Group\",\n \"Gamaredon Group\",\n \"Honeybee\",\n \"Frankenstein\",\n \"APT18\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"Turla\",\n \"Sandworm Team\",\n \"Sowbug\",\n \"APT19\",\n \"APT37\",\n \"Blue Mockingbird\",\n \"Stealth Falcon\",\n \"admin@338\",\n \"Magic Hound\",\n \"Inception\",\n \"Kimsuky\",\n \"APT3\",\n \"Darkhotel\",\n \"OilRig\",\n \"Rocke\",\n \"Ke3chang\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect attackers scanning for vulnerable JBoss servers\",\n \"id\": \"104658f4-afdc-499e-9719-17243f982681\",\n \"version\": 1,\n \"date\": \"2017-09-23\",\n \"description\": \"This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to identify vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity.\",\n \"how_to_implement\": \"You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\\\"GET\\\" OR Web.http_method=\\\"HEAD\\\") AND (Web.url=\\\"*/web-console/ServerInfo.jsp*\\\" OR Web.url=\\\"*web-console*\\\" OR Web.url=\\\"*jmx-console*\\\" OR Web.url = \\\"*invoker*\\\") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name(\\\"Web\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`\",\n \"known_false_positives\": \"It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.\",\n \"tags\": {\n \"analytics_story\": [\n \"JBoss Vulnerability\",\n \"SamSam Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1082\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Web Server\",\n \"mitre_attack_technique\": [\n \"System Information Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Sandworm Team\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"Inception\",\n \"Kimsuky\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"Honeybee\",\n \"APT19\",\n \"APT37\",\n \"APT32\",\n \"Magic Hound\",\n \"OilRig\",\n \"APT3\",\n \"Sowbug\",\n \"Gamaredon Group\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"admin@338\",\n \"Turla\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_attackers_scanning_for_vulnerable_jboss_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect malicious requests to exploit JBoss servers\",\n \"id\": \"c8bff7a4-11ea-4416-a27d-c5bca472913d\",\n \"version\": 1,\n \"date\": \"2017-09-23\",\n \"description\": \"This search is used to detect malicious HTTP requests crafted to exploit jmx-console in JBoss servers. The malicious requests have a long URL length, as the payload is embedded in the URL.\",\n \"how_to_implement\": \"You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\\\"GET\\\" OR Web.http_method=\\\"HEAD\\\") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url=\\\"*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*\\\" AND Web.url_length > 200 | `drop_dm_object_name(\\\"Web\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`\",\n \"known_false_positives\": \"No known false positives for this detection.\",\n \"tags\": {\n \"analytics_story\": [\n \"JBoss Vulnerability\",\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 12\",\n \"CIS 4\",\n \"CIS 18\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"PR.PT\",\n \"PR.IP\",\n \"DE.AE\",\n \"PR.MA\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Web Server\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_malicious_requests_to_exploit_jboss_servers_filter\"\n }\n ]\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-04-15\",\n \"description\": \"This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.\",\n \"id\": \"a9ef59cf-e981-4e66-9eef-bb049f695c09\",\n \"name\": \"Kubernetes Scanning Activity\",\n \"narrative\": \"Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.\",\n \"references\": [\n \"https://github.com/splunk/cloud-datamodel-security-research\"\n ],\n \"tags\": {\n \"analytics_story\": \"Kubernetes Scanning Activity\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"usecase\": \"Security Monitoring\",\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"detections\": [\n {\n \"name\": \"Amazon EKS Kubernetes cluster scan detection\",\n \"id\": \"294c4686-63dd-4fe6-93a2-ca807626704a\",\n \"version\": 1,\n \"date\": \"2020-04-15\",\n \"description\": \"This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Splunk\",\n \"search\": \"`aws_cloudwatchlogs_eks` \\\"user.username\\\"=\\\"system:anonymous\\\" userAgent!=\\\"AWS Security Scanner\\\" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter` \",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context.\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Amazon EKS Kubernetes cluster\",\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"amazon_eks_kubernetes_cluster_scan_detection_filter\"\n }\n ]\n },\n {\n \"name\": \"Amazon EKS Kubernetes Pod scan detection\",\n \"id\": \"dbfca1dd-b8e5-4ba4-be0e-e565e5d62002\",\n \"version\": 1,\n \"date\": \"2020-04-15\",\n \"description\": \"This search provides detection information on unauthenticated requests against Kubernetes' Pods API\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Splunk\",\n \"search\": \"`aws_cloudwatchlogs_eks` \\\"user.username\\\"=\\\"system:anonymous\\\" verb=list objectRef.resource=pods requestURI=\\\"/api/v1/pods\\\" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter` \",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Amazon EKS Kubernetes cluster Pod\",\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"amazon_eks_kubernetes_pod_scan_detection_filter\"\n }\n ]\n },\n {\n \"name\": \"GCP Kubernetes cluster pod scan detection\",\n \"id\": \"19b53215-4a16-405b-8087-9e6acf619842\",\n \"version\": 1,\n \"date\": \"2020-07-17\",\n \"description\": \"This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods\",\n \"how_to_implement\": \"You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Splunk\",\n \"search\": \"`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`\",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"GCP Kubernetes cluster\",\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_kubernetes_cluster_pod_scan_detection_filter\"\n }\n ]\n },\n {\n \"name\": \"GCP Kubernetes cluster scan detection\",\n \"id\": \"db5957ec-0144-4c56-b512-9dccbe7a2d26\",\n \"version\": 1,\n \"date\": \"2020-04-15\",\n \"description\": \"This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster\",\n \"how_to_implement\": \"You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rod Soto, Splunk\",\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 \\\"data.labels.authorization.k8s.io/decision\\\"=forbid \\\"data.protoPayload.status.message\\\"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail=\\\"system:anonymous\\\" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter` \",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context.\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"GCP Kubernetes cluster\",\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"gcp_kubernetes_cluster_scan_detection_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-20\",\n \"description\": \"This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"86aad3e0-732f-4f66-bbbc-70df448e461d\",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.\",\n \"name\": \"Kubernetes Azure pod scan fingerprint\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_pod_scan_fingerprint_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-19\",\n \"description\": \"This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"c5e5bd5c-1013-4841-8b23-e7b3253c840a\",\n \"known_false_positives\": \"Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.\",\n \"name\": \"Kubernetes Azure scan fingerprint\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Scanning Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"mitre_attack_id\": [\n \"T1526\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [\n \"Cloud Service Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_scan_fingerprint_filter\"\n }\n ]\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-20\",\n \"description\": \"This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.\",\n \"id\": \"2574e6d9-7254-4751-8925-0447deeec8ea\",\n \"name\": \"Kubernetes Sensitive Object Access Activity\",\n \"narrative\": \"Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.\",\n \"references\": [\n \"https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Kubernetes Sensitive Object Access Activity\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"usecase\": \"Security Monitoring\",\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"detections\": [\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets\",\n \"how_to_implement\": \"You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs.\",\n \"id\": \"7f227943-2196-4d4d-8d6a-ac8cb308e61c\",\n \"known_false_positives\": \"Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.\",\n \"name\": \"AWS EKS Kubernetes cluster sensitive object access\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"aws_eks_kubernetes_cluster_sensitive_object_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.\",\n \"id\": \"a6959c57-fa8f-4277-bb86-7c32fba579d5\",\n \"known_false_positives\": \"This search can give false positives as there might be inherent issues with authentications and permissions at cluster.\",\n \"name\": \"Kubernetes AWS detect service accounts forbidden failure access\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.\",\n \"id\": \"042a3d32-8318-4763-9679-09db2644a8f2\",\n \"known_false_positives\": \"Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets\",\n \"name\": \"Kubernetes AWS detect suspicious kubectl calls\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 src_user=system:anonymous | table src_ip src_user verb userAgent requestURI | stats count by src_ip src_user verb userAgent requestURI |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_aws_detect_suspicious_kubectl_calls_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-20\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"1bba382b-07fd-4ffa-b390-8002739b76e8\",\n \"known_false_positives\": \"Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.\",\n \"name\": \"Kubernetes Azure detect sensitive object access\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_sensitive_object_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-20\",\n \"description\": \"This search provides information on Kubernetes service accounts with failure or forbidden access status\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"019690d7-420f-4da0-b320-f27b09961514\",\n \"known_false_positives\": \"This search can give false positives as there might be inherent issues with authentications and permissions at cluster.\",\n \"name\": \"Kubernetes Azure detect service accounts forbidden failure access\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-26\",\n \"description\": \"This search provides information on rare Kubectl calls with IP, verb namespace and object access context\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"4b6d1ba8-0000-4cec-87e6-6cbbd71651b5\",\n \"known_false_positives\": \"Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets\",\n \"name\": \"Kubernetes Azure detect suspicious kubectl calls\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI|`kubernetes_azure_detect_suspicious_kubectl_calls_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_suspicious_kubectl_calls_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-11\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets\",\n \"how_to_implement\": \"You must install splunk add on for GCP . This search works with pubsub messaging service logs.\",\n \"id\": \"bdb6d596-86a0-4aba-8369-418ae8b9963a\",\n \"known_false_positives\": \"Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.\",\n \"name\": \"Kubernetes GCP detect sensitive object access\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"GCP GKE Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_sensitive_object_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI\",\n \"how_to_implement\": \"You must install splunk add on for GCP. This search works with pubsub messaging service logs.\",\n \"id\": \"7094808d-432a-48e7-bb3c-77e96c894f3b\",\n \"known_false_positives\": \"This search can give false positives as there might be inherent issues with authentications and permissions at cluster.\",\n \"name\": \"Kubernetes GCP detect service accounts forbidden failure access\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"GCP GKE Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-11\",\n \"description\": \"This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context\",\n \"how_to_implement\": \"You must install splunk add on for GCP. This search works with pubsub messaging logs.\",\n \"id\": \"a5bed417-070a-41f2-a1e4-82b6aa281557\",\n \"known_false_positives\": \"Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets\",\n \"name\": \"Kubernetes GCP detect suspicious kubectl calls\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Object Access Activity\"\n ],\n \"asset_type\": \"GCP GKE Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_suspicious_kubectl_calls_filter\"\n }\n ]\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-20\",\n \"description\": \"This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.\",\n \"id\": \"2574e6d9-7254-4751-8925-0447deeec8ew\",\n \"name\": \"Kubernetes Sensitive Role Activity\",\n \"narrative\": \"Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities\",\n \"references\": [\n \"https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Kubernetes Sensitive Role Activity\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"usecase\": \"Security Monitoring\",\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"detections\": [\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"5b30b25d-7d32-42d8-95ca-64dfcd9076e6\",\n \"known_false_positives\": \"Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.\",\n \"name\": \"Kubernetes AWS detect most active service accounts by pod\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_aws_detect_most_active_service_accounts_by_pod_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs\",\n \"id\": \"de7264ed-3ed9-4fef-bb01-6eefc87cefe8\",\n \"known_false_positives\": \"Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.\",\n \"name\": \"Kubernetes AWS detect RBAC authorization by account\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_aws_detect_rbac_authorization_by_account_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-06-23\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets\",\n \"how_to_implement\": \"You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.\",\n \"id\": \"b6013a7b-85e0-4a45-b051-10b252d69569\",\n \"known_false_positives\": \"Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. \",\n \"name\": \"Kubernetes AWS detect sensitive role access\",\n \"references\": [],\n \"search\": \"`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"AWS EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_aws_detect_sensitive_role_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-26\",\n \"description\": \"This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"55a2264a-b7f0-45e5-addd-1e5ab3415c72\",\n \"known_false_positives\": \"Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.\",\n \"name\": \"Kubernetes Azure detect most active service accounts by pod namespace\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_most_active_service_accounts_by_pod_namespace_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_most_active_service_accounts_by_pod_namespace_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-26\",\n \"description\": \"This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"47af7d20-0607-4079-97d7-7a29af58b54e\",\n \"known_false_positives\": \"Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.\",\n \"name\": \"Kubernetes Azure detect RBAC authorization by account\",\n \"references\": [],\n \"search\": \"sourcetype:mscs:storage:blob:json category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_rbac_authorization_by_account_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-05-20\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets\",\n \"how_to_implement\": \"You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics\",\n \"id\": \"f27349e5-1641-4f6a-9e68-30402be0ad4c\",\n \"known_false_positives\": \"Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use. \",\n \"name\": \"Kubernetes Azure detect sensitive role access\",\n \"references\": [],\n \"search\": \"`kubernetes_azure` category=kube-audit | spath input=properties.log| search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"Azure AKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_azure_detect_sensitive_role_access_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-11\",\n \"description\": \"This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences\",\n \"how_to_implement\": \"You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs\",\n \"id\": \"99487de3-7192-4b41-939d-fbe9acfb1340\",\n \"known_false_positives\": \"Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.\",\n \"name\": \"Kubernetes GCP detect RBAC authorizations by account\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"GCP GKE Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_rbac_authorizations_by_account_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-10\",\n \"description\": \"This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision\",\n \"how_to_implement\": \"You must install splunk GCP add on. This search works with pubsub messaging service logs\",\n \"id\": \"7f5c2779-88a0-4824-9caa-0f606c8f260f\",\n \"known_false_positives\": \"Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.\",\n \"name\": \"Kubernetes GCP detect most active service accounts by pod\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"GCP GKE Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter\"\n }\n ]\n },\n {\n \"author\": \"Rod Soto, Splunk\",\n \"date\": \"2020-07-11\",\n \"description\": \"This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets\",\n \"how_to_implement\": \"You must install splunk add on for GCP. This search works with pubsub messaging servicelogs.\",\n \"id\": \"a46923f6-36b9-4806-a681-31f314907c30\",\n \"known_false_positives\": \"Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use. \",\n \"name\": \"Kubernetes GCP detect sensitive role access\",\n \"references\": [],\n \"search\": \"`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter`\",\n \"tags\": {\n \"analytics_story\": [\n \"Kubernetes Sensitive Role Activity\"\n ],\n \"asset_type\": \"GCP GKE EKS Kubernetes cluster\",\n \"kill_chain_phases\": [\n \"Lateral Movement\"\n ],\n \"security_domain\": \"threat\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"type\": \"ESCU\",\n \"version\": 1,\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kubernetes_gcp_detect_sensitive_role_access_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Lateral Movement\",\n \"id\": \"399d65dc-1f08-499b-a259-aad9051f38ad\",\n \"version\": 2,\n \"date\": \"2020-02-04\",\n \"description\": \"Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.\",\n \"narrative\": \"Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\\\\\\nIndications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \\\"crown jewels\\\" to a persistent threat actor.\\\\\\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\\\\\\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. \\\\\\n It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Lateral Movement\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1053.005\",\n \"T1021.001\",\n \"T1550.002\",\n \"T1558.003\"\n ],\n \"mitre_attack_technique\": [\n \"Kerberoasting\",\n \"Pass the Hash\",\n \"Scheduled Task\",\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Lateral Movement\",\n \"Defense Evasion\",\n \"Privilege Escalation\",\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Stolen Pencil\",\n \"APT41\",\n \"Gamaredon Group\",\n \"BRONZE BUTLER\",\n \"Frankenstein\",\n \"Cobalt Group\",\n \"Night Dragon\",\n \"FIN10\",\n \"APT32\",\n \"TEMP.Veles\",\n \"Patchwork\",\n \"APT28\",\n \"Rancor\",\n \"FIN8\",\n \"APT29\",\n \"Silence\",\n \"menuPass\",\n \"Blue Mockingbird\",\n \"APT-C-36\",\n \"Machete\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Axiom\",\n \"APT3\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"no\",\n \"APT33\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect Activity Related to Pass the Hash Attacks\",\n \"id\": \"f5939373-8054-40ad-8c64-cec478a22a4b\",\n \"version\": 5,\n \"date\": \"2020-10-15\",\n \"description\": \"This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique.\",\n \"how_to_implement\": \"To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Patrick Bareiss, Splunk\",\n \"search\": \"`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp WorkstationName=WORKSTATION NOT AccountName=\\\"ANONYMOUS LOGON\\\") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter` \",\n \"known_false_positives\": \"Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1550.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Endpoint\",\n \"automated_detection_testing\": \"passed\",\n \"dataset\": [\n \"https://attack-range-attack-data.s3-us-west-2.amazonaws.com/T1550.002/windows-security.log\"\n ],\n \"mitre_attack_technique\": [\n \"Pass the Hash\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Soft Cell\",\n \"APT32\",\n \"Night Dragon\",\n \"APT28\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_activity_related_to_pass_the_hash_attacks_filter\"\n }\n ]\n },\n {\n \"name\": \"Kerberoasting spn request with RC4 encryption\",\n \"id\": \"5cc67381-44fa-4111-8a37-7a230943f027\",\n \"version\": 3,\n \"date\": \"2020-10-16\",\n \"description\": \"This search detects a potential kerberoasting attack via service principal name requests\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, and include the windows security event logs that contain kerberos\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1208/T1208.md\",\n \"https://www.trimarcsecurity.com/post/trimarcresearch-detecting-kerberoasting-activity\"\n ],\n \"author\": \"Jose Hernandez, Patrick Bareiss, Splunk\",\n \"search\": \"`wineventlog_security` EventCode=4769 Ticket_Options=0x40810000 Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`\",\n \"known_false_positives\": \"Older systems that support kerberos RC4 by default NetApp may generate false positives\",\n \"tags\": {\n \"analytics_story\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1558.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"automated_detection_testing\": \"passed\",\n \"dataset\": [\n \"https://attack-range-attack-data.s3-us-west-2.amazonaws.com/T1558.003/windows-security.log\"\n ],\n \"mitre_attack_technique\": [\n \"Kerberoasting\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"kerberoasting_spn_request_with_rc4_encryption_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Desktop Process Running On System\",\n \"id\": \"f5939373-8054-40ad-8c64-cec478a22a4a\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. The search requires you to identify systems that do not commonly use remote desktop. You can use the included support search \\\"Identify Systems Using Remote Desktop\\\" to identify these systems. After identifying them, you will need to add the \\\"common_rdp_source\\\" category to that system using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in `SA-IdentityManagement/lookups`.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter` \",\n \"known_false_positives\": \"Remote Desktop may be used legitimately by users on the network.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 9\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_desktop_process_running_on_system_filter\"\n }\n ]\n },\n {\n \"name\": \"Schtasks scheduling job on remote system\",\n \"id\": \"1297fb80-f42a-4b4a-9c8a-88c066237cf6\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for flags passed to schtasks.exe on the command-line that indicate a job is being scheduled on a remote system.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = schtasks.exe Processes.process=\\\"*/create*\\\" Processes.process=\\\"* /s *\\\" by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_scheduling_job_on_remote_system_filter`\",\n \"known_false_positives\": \"Administrators may create jobs on remote systems, but this activity is usually limited to a small set of hosts or users. It is important to validate and investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1053.005\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Scheduled Task\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT-C-36\",\n \"BRONZE BUTLER\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Silence\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Dragonfly 2.0\",\n \"Patchwork\",\n \"OilRig\",\n \"Rancor\",\n \"Cobalt Group\",\n \"FIN8\",\n \"menuPass\",\n \"FIN10\",\n \"APT32\",\n \"FIN7\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"APT3\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"schtasks_scheduling_job_on_remote_system_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Desktop Network Traffic\",\n \"id\": \"272b8407-842d-4b3d-bead-a704584003d3\",\n \"version\": 3,\n \"date\": \"2020-07-07\",\n \"description\": \"This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search allows for whitelisting both source and destination hosts to remove them from the output of the search so you can focus on the uncommon uses of remote desktop on your network.\",\n \"how_to_implement\": \"To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search \\\"Identify Systems Creating Remote Desktop Traffic\\\" to identify systems that originate the traffic and the search \\\"Identify Systems Receiving Remote Desktop Traffic\\\" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the \\\"common_rdp_source\\\" or \\\"common_rdp_destination\\\" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\\\"All_Traffic\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter` \",\n \"known_false_positives\": \"Remote Desktop may be used legitimately by users on the network.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Hidden Cobra Malware\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 9\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_desktop_network_traffic_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell\",\n \"id\": \"2c8ff66e-0b57-42af-8ad7-912438a403fc\",\n \"version\": 4,\n \"date\": \"2017-08-23\",\n \"description\": \"Attackers are finding stealthy ways \\\"live off the land,\\\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.\",\n \"narrative\": \"The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope.\\\\\\nThe following factors may assist you in determining whether the event is malicious: \\\\\\n1. Country of origin\\\\\\n1. Responsible party\\\\\\n1. Fully qualified domain names associated with the external IP address\\\\\\n1. Registration of fully qualified domain names associated with external IP addressDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope.\\\\\\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\\\\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\\\Windows\\\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited.\\\\\\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well.\\\\\\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/\",\n \"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Malicious PowerShell\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\",\n \"T1027\"\n ],\n \"mitre_attack_technique\": [\n \"Obfuscated Files or Information\",\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dust Storm\",\n \"Dragonfly 2.0\",\n \"Putter Panda\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Rocke\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Gamaredon Group\",\n \"Honeybee\",\n \"Frankenstein\",\n \"TA459\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"Threat Group-3390\",\n \"FIN10\",\n \"Night Dragon\",\n \"APT18\",\n \"APT32\",\n \"Tropic Trooper\",\n \"TEMP.Veles\",\n \"Patchwork\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"CopyKittens\",\n \"Whitefly\",\n \"FIN8\",\n \"Gallmaker\",\n \"APT29\",\n \"Sandworm Team\",\n \"Silence\",\n \"APT19\",\n \"Molerats\",\n \"APT37\",\n \"menuPass\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"APT-C-36\",\n \"Machete\",\n \"Poseidon Group\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"Inception\",\n \"Leafminer\",\n \"Group5\",\n \"Elderwood\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Thrip\",\n \"APT3\",\n \"Darkhotel\",\n \"BlackOasis\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"Leviathan\",\n \"OilRig\",\n \"Mofang\",\n \"FIN6\",\n \"TA505\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass\",\n \"id\": \"c2590137-0b08-4985-9ec5-6ae23d92f63d\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"Monitor for changes of the ExecutionPolicy in the registry to the values \\\"unrestricted\\\" or \\\"bypass,\\\" which allows the execution of malicious scripts.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Registry node. You must also be ingesting logs with the fields registry_path, registry_key_name, and registry_value_name from your endpoints.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=*Software\\\\\\\\Microsoft\\\\\\\\Powershell\\\\\\\\1\\\\\\\\ShellIds\\\\\\\\Microsoft.PowerShell* Registry.registry_key_name=ExecutionPolicy (Registry.registry_value_name=Unrestricted OR Registry.registry_value_name=Bypass) by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempt_to_set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter` \",\n \"known_false_positives\": \"Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to \\\"unrestricted\\\" or \\\"bypass\\\" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\",\n \"Credential Dumping\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"attempt_to_set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process - Connect To Internet With Hidden Window\",\n \"id\": \"ee18ed37-0802-4268-9435-b3b91aaa18db\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet. This combination of command-line options is suspicious because it's overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\\\"*-Exec*\\\" process=\\\"*-WindowStyle*\\\" process=\\\"*hidden*\\\" process=\\\"*New-Object*\\\" process=\\\"*System.Net.WebClient*\\\" | `malicious_powershell_process___connect_to_internet_with_hidden_window_filter`\",\n \"known_false_positives\": \"Legitimate process can have this combination of command-line options, but it's not common.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process___connect_to_internet_with_hidden_window_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process - Encoded Command\",\n \"id\": \"c4db14d9-7909-48b4-a054-aa14d89dbb19\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes that have encoded the script within the command-line. Malware has been seen using this parameter, as it obfuscates the code and makes it relatively easy to pass a script on the command-line.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = powershell.exe (Processes.process=*-EncodedCommand* OR Processes.process=*-enc*) by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `malicious_powershell_process___encoded_command_filter`\",\n \"known_false_positives\": \"System administrators may use this option, but it's not common.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\"\n ],\n \"mitre_attack_id\": [\n \"T1027\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Obfuscated Files or Information\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Rocke\",\n \"Sandworm Team\",\n \"Blue Mockingbird\",\n \"Whitefly\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Mofang\",\n \"Frankenstein\",\n \"Inception\",\n \"APT-C-36\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Turla\",\n \"TA505\",\n \"Silence\",\n \"APT33\",\n \"Night Dragon\",\n \"Darkhotel\",\n \"Gallmaker\",\n \"APT29\",\n \"APT18\",\n \"Tropic Trooper\",\n \"Cobalt Group\",\n \"Patchwork\",\n \"Leafminer\",\n \"APT37\",\n \"Threat Group-3390\",\n \"Honeybee\",\n \"Dark Caracal\",\n \"menuPass\",\n \"APT19\",\n \"BlackOasis\",\n \"FIN8\",\n \"Leviathan\",\n \"Elderwood\",\n \"MuddyWater\",\n \"FIN7\",\n \"Magic Hound\",\n \"OilRig\",\n \"APT3\",\n \"APT32\",\n \"Group5\",\n \"Dust Storm\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process___encoded_command_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process - Multiple Suspicious Command-Line Arguments\",\n \"id\": \"2cdb91d2-542c-497f-b252-be495e71f38c\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* AND process=*-NonI* | `malicious_powershell_process___multiple_suspicious_command_line_arguments_filter`\",\n \"known_false_positives\": \"Legitimate process can have this combination of command-line options, but it's not common.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process___multiple_suspicious_command_line_arguments_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process With Obfuscation Techniques\",\n \"id\": \"cde75cf6-3c7a-4dd6-af01-27cdb4511fd4\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process, \\\"`\\\"))-1) + (mvcount(split(process, \\\"^\\\"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 0\",\n \"known_false_positives\": \"These characters might be legitimately on the command-line, but it is not common.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process_with_obfuscation_techniques_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Monitor Backup Solution\",\n \"id\": \"abe807c7-1eb6-4304-ac32-6e7aacdb891d\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.\",\n \"narrative\": \"Having backups is a standard best practice that helps ensure continuity of business operations. Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Monitor Backup Solution\",\n \"usecase\": \"Compliance\",\n \"category\": [\n \"Best Practices\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Extended Period Without Successful Netbackup Backups\",\n \"id\": \"a34aae96-ccf8-4aef-952c-3ea214444440\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This search returns a list of hosts that have not successfully completed a backup in over a week.\",\n \"how_to_implement\": \"To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`netbackup` MESSAGE=\\\"Disk/Partition backup completed successfully.\\\" | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), \\\"-7d@d\\\"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor Backup Solution\"\n ],\n \"cis20\": [\n \"CIS 10\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=\\\"netbackup_logs\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"netbackup\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"extended_period_without_successful_netbackup_backups_filter\"\n }\n ]\n },\n {\n \"name\": \"Unsuccessful Netbackup backups\",\n \"id\": \"a34aae96-ccf8-4aaa-952c-3ea21444444f\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This search gives you the hosts where a backup was attempted and then failed.\",\n \"how_to_implement\": \"To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE=\\\"An error occurred, failed to backup.\\\" | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor Backup Solution\"\n ],\n \"cis20\": [\n \"CIS 10\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Monitor Successful Backups\",\n \"id\": \"b4d0dfb2-2195-4f6e-93a3-48468ed9734e\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This search is intended to give you a feel for how often successful backups are conducted in your environment. Fluctuations in these numbers will allow you to determine when you should investigate.\",\n \"how_to_implement\": \"To successfully implement this search you must be ingesting your backup logs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`netbackup` \\\"Disk/Partition backup completed successfully.\\\" | bucket _time span=1d | stats dc(COMPUTERNAME) as count values(COMPUTERNAME) as dest by _time, MESSAGE\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor Backup Solution\"\n ],\n \"detections\": [\n \"Unsuccessful Netbackup backups\"\n ]\n }\n },\n {\n \"name\": \"Monitor Unsuccessful Backups\",\n \"id\": \"b2178fed-592f-492b-b851-74161678aa56\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This search is intended to give you a feel for how often backup failures happen in your environments. Fluctuations in these numbers will allow you to determine when you should investigate.\",\n \"how_to_implement\": \"To successfully implement this search you must be ingesting your backup logs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`netbackup` \\\"An error occurred, failed to backup.\\\" | bucket _time span=1d | stats dc(COMPUTERNAME) as count values(COMPUTERNAME) as dest by _time, MESSAGE\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor Backup Solution\"\n ],\n \"detections\": [\n \"Unsuccessful Netbackup backups\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=\\\"netbackup_logs\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"netbackup\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unsuccessful_netbackup_backups_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Monitor for Unauthorized Software\",\n \"id\": \"8892a655-6205-43f7-abba-06460e38c8ae\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. \",\n \"narrative\": \"It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\\\\\\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. \",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Monitor for Unauthorized Software\",\n \"usecase\": \"Compliance\",\n \"category\": [\n \"Best Practices\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Prohibited Software On Endpoint\",\n \"id\": \"a51bfe1a-94f0-48cc-b4e4-b6ae50145893\",\n \"version\": 2,\n \"date\": \"2019-10-11\",\n \"description\": \"This search looks for applications on the endpoint that you have marked as prohibited.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings. In addition, you must also have only the `process_name` (not the entire process path) marked as \\\"prohibited\\\" in the Enterprise Security `interesting processes` table. To include the process names marked as \\\"prohibited\\\", which is included with ES Content Updates, run the included search Add Prohibited Processes to Enterprise Security.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_softwares` | `prohibited_software_on_endpoint_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor for Unauthorized Software\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Add Prohibited Processes to Enterprise Security\",\n \"id\": \"251930a5-1451-4428-bb13-eed5775be0ce\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search takes the existing interesting process table from ES, filters out any existing additions added by ESCU and then updates the table with processes identified by ESCU that should be prohibited on your endpoints.\",\n \"how_to_implement\": \"This search should be run on each new install of ESCU.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| inputlookup interesting_processes_lookup | search note!=ESCU* | inputlookup append=T prohibitedProcesses_lookup | fillnull value=* dest dest_pci_domain | fillnull value=false is_required is_secure | fillnull value=true is_prohibited | outputlookup interesting_processes_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Monitor for Unauthorized Software\",\n \"SamSam Ransomware\"\n ],\n \"detections\": [\n \"Prohibited Software On Endpoint\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup interesting_processes_lookup app as process_name OUTPUT is_prohibited | search is_prohibited=True\",\n \"description\": \"This macro limits the output to process_names that have been marked as prohibited\",\n \"name\": \"prohibited_softwares\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"prohibited_software_on_endpoint_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Monitor for Updates\",\n \"id\": \"9ef8d677-7b52-4213-a038-99cfc7acc2d8\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.\",\n \"narrative\": \"It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\\\\\\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\\\\\\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://learn.cisecurity.org/20-controls-download\"\n ],\n \"tags\": {\n \"analytics_story\": \"Monitor for Updates\",\n \"usecase\": \"Compliance\",\n \"category\": [\n \"Best Practices\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"No Windows Updates in a time frame\",\n \"id\": \"1a77c08c-2f56-409c-a2d3-7d64617edd4f\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason.\",\n \"how_to_implement\": \"To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product=\\\"Microsoft Windows\\\" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as \\\"Update Status\\\" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), \\\"-60d@d\\\"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as \\\"Last Update Time\\\", | table Host, \\\"Update Status\\\", Product, \\\"Last Update Time\\\" | `no_windows_updates_in_a_time_frame_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor for Updates\"\n ],\n \"cis20\": [\n \"CIS 18\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.MA\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"no_windows_updates_in_a_time_frame_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Netsh Abuse\",\n \"id\": \"2b1800dd-92f9-47ec-a981-fdf1351e5f65\",\n \"version\": 1,\n \"date\": \"2017-01-05\",\n \"description\": \"Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.\",\n \"narrative\": \"It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\\\\\\nTo get started, run the detection search to identify parent processes of `netsh.exe`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)\",\n \"https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html\",\n \"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Netsh Abuse\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1562.004\",\n \"T1059.003\",\n \"T1059.001\"\n ],\n \"mitre_attack_technique\": [\n \"Windows Command Shell\",\n \"PowerShell\",\n \"Disable or Modify System Firewall\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Rocke\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Honeybee\",\n \"Gamaredon Group\",\n \"Frankenstein\",\n \"TA459\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"Threat Group-3390\",\n \"FIN10\",\n \"APT18\",\n \"APT32\",\n \"Tropic Trooper\",\n \"TEMP.Veles\",\n \"Patchwork\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Ke3chang\",\n \"Rancor\",\n \"CopyKittens\",\n \"FIN8\",\n \"APT38\",\n \"Gallmaker\",\n \"APT29\",\n \"Sowbug\",\n \"Silence\",\n \"APT19\",\n \"Molerats\",\n \"APT37\",\n \"menuPass\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"Poseidon Group\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"admin@338\",\n \"Inception\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Carbanak\",\n \"Thrip\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"Threat Group-1314\",\n \"TA505\",\n \"APT33\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Processes created by netsh\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dbb162041e\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process=\\\"*C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\netsh.exe*\\\" AND Processes.process_path!=\\\"C:\\\\\\\\Program Files\\\\\\\\rempl\\\\\\\\sedlauncher.exe\\\") by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`\",\n \"known_false_positives\": \"It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude \\\"C:\\\\Program Files\\\\rempl\\\\sedlauncher.exe\\\" process path since it is a legitimate process by Mircosoft.\",\n \"tags\": {\n \"analytics_story\": [\n \"Netsh Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\",\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\",\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\",\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"processes_created_by_netsh_filter\"\n }\n ]\n },\n {\n \"name\": \"Processes launching netsh\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dbb162040e\",\n \"version\": 3,\n \"date\": \"2020-07-10\",\n \"description\": \"This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Josef Kuepker, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.user Processes.dest |`drop_dm_object_name(\\\"Processes\\\")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`\",\n \"known_false_positives\": \"Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.\",\n \"tags\": {\n \"analytics_story\": [\n \"Netsh Abuse\",\n \"Disabling Security Tools\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1562.004\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Disable or Modify System Firewall\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Lazarus Group\",\n \"Kimsuky\",\n \"Dragonfly 2.0\",\n \"Carbanak\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of SMB Traffic - MLTK\",\n \"id\": \"df98763b-0b08-4281-8ef9-08db7ac572a9\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.\",\n \"how_to_implement\": \"You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \\\"src\\\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(\\\"All_Traffic\\\")` | fit DensityFunction count by \\\"HourOfDay,DayOfWeek\\\" into smb_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Ransomware\"\n ],\n \"detections\": [\n \"Processes launching netsh\",\n \"SMB Traffic Spike - MLTK\"\n ]\n }\n },\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"processes_launching_netsh_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Orangeworm Attack Group\",\n \"id\": \"bb9f5ed2-916e-4364-bb6d-97c370efcf52\",\n \"version\": 2,\n \"date\": \"2020-01-22\",\n \"description\": \"Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.\",\n \"narrative\": \"In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\\\\\\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\\\\\\nAlthough the group's motivation is unknown, its goal may be stealing patient information to sell on the black market. Another possible explanation is corporate espionage. \\\\\\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\\\\\\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia\",\n \"https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Orangeworm Attack Group\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\",\n \"T1569.002\",\n \"T1059.001\",\n \"T1543.003\"\n ],\n \"mitre_attack_technique\": [\n \"Windows Command Shell\",\n \"PowerShell\",\n \"Windows Service\",\n \"Service Execution\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Execution\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Honeybee\",\n \"Gamaredon Group\",\n \"Frankenstein\",\n \"TA459\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"Threat Group-3390\",\n \"FIN10\",\n \"APT18\",\n \"APT32\",\n \"Tropic Trooper\",\n \"TEMP.Veles\",\n \"Patchwork\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Ke3chang\",\n \"Rancor\",\n \"CopyKittens\",\n \"FIN8\",\n \"APT38\",\n \"Gallmaker\",\n \"APT29\",\n \"Sowbug\",\n \"Silence\",\n \"APT19\",\n \"Molerats\",\n \"APT37\",\n \"menuPass\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"Poseidon Group\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"admin@338\",\n \"Inception\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Carbanak\",\n \"Thrip\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"Threat Group-1314\",\n \"TA505\",\n \"APT33\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"First time seen command line argument\",\n \"id\": \"9be56c82-b1cc-4318-87eb-q138afaaqa39\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. Please make sure you run the support search \\\"Previously seen command line arguments,\\\"—which creates a lookup file called `previously_seen_cmd_line_arguments.csv`—a historical baseline of all command-line arguments. You must also validate this list. For the search to do accurate calculation, ensure the search scheduling is the same value as the `relative_time` evaluation function.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` \",\n \"known_false_positives\": \"Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Suspicious Command-Line Executions\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Hidden Cobra Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\",\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\",\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\",\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_command_line_argument_filter\"\n }\n ]\n },\n {\n \"name\": \"First Time Seen Running Windows Service\",\n \"id\": \"823136f2-d755-4b6d-ae04-372b486a5808\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_service_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \\\"`previously_seen_windows_service_window`\\\") | table _time dest service | `first_time_seen_running_windows_service_filter`\",\n \"known_false_positives\": \"A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"Orangeworm Attack Group\"\n ],\n \"mitre_attack_id\": [\n \"T1569.002\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\",\n \"CIS 9\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.AC\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Service Execution\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT41\",\n \"Silence\",\n \"FIN6\",\n \"APT32\",\n \"Honeybee\",\n \"Ke3chang\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Running Windows Services - Initial\",\n \"id\": \"64ce0ade-cb01-4678-bddd-d31c0b175394\",\n \"version\": 3,\n \"date\": \"2020-06-23\",\n \"description\": \"This collects the services that have been started across your entire enterprise.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | outputlookup previously_seen_running_windows_services\",\n \"tags\": {\n \"analytics_story\": [\n \"Orangeworm Attack Group\",\n \"Windows Service Abuse\"\n ],\n \"detections\": [\n \"First Time Seen Running Windows Service\"\n ],\n \"deployments\": [\n \"90 Day Baseline\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Running Windows Services - Update\",\n \"id\": \"2e3bdd68-1863-46ee-81f8-87273eee7f1c\",\n \"version\": 3,\n \"date\": \"2020-06-23\",\n \"description\": \"This search returns the first and last time a Windows service was seen across your enterprise within the last hour. It then updates this information with historical data and filters out Windows services pairs that have not been seen within the specified time window. This updated table is then cached.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | inputlookup previously_seen_running_windows_services append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen by service | where lastTimeSeen > relative_time(now(), \\\"`previously_seen_windows_service_forget_window`\\\") | outputlookup previously_seen_running_windows_services\",\n \"tags\": {\n \"analytics_story\": [\n \"Orangeworm Attack Group\",\n \"Windows Service Abuse\"\n ],\n \"detections\": [\n \"First Time Seen Running Windows Service\"\n ],\n \"deployments\": [\n \"Hourly Cache Updates\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_system\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_system\"\n },\n {\n \"description\": \"Use this macro to determine how far back you should be checking for new Windows services\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_windows_service_window\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_running_windows_service_filter\"\n }\n ]\n },\n {\n \"name\": \"Sc exe Manipulating Windows Services\",\n \"id\": \"f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\\\"* create *\\\" OR Processes.process=\\\"* config *\\\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`\",\n \"known_false_positives\": \"Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"DHS Report TA18-074A\",\n \"Orangeworm Attack Group\",\n \"Windows Persistence Techniques\",\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1543.003\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"DarkVishnya\",\n \"Wizard Spider\",\n \"APT32\",\n \"APT41\",\n \"Kimsuky\",\n \"Tropic Trooper\",\n \"Cobalt Group\",\n \"Ke3chang\",\n \"Honeybee\",\n \"FIN7\",\n \"Threat Group-3390\",\n \"APT19\",\n \"APT3\",\n \"Lazarus Group\",\n \"Carbanak\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"sc_exe_manipulating_windows_services_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Phishing Payloads\",\n \"id\": \"57226b40-94f3-4ce5-b101-a75f67759c27\",\n \"version\": 1,\n \"date\": \"2019-04-29\",\n \"description\": \"Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.\",\n \"narrative\": \"Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email. \\\\\\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \\\"automate\\\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack. \\\\\\nhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim—especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security. \\\\\\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\\\\\\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\\\\\\n1. The .lnk file executes a PowerShell script\\\\\\n1. Powershell executes a reverse shell, rendering the exploit successful As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\\\\\\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.\",\n \"author\": \"Splunk Research Team, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Phishing Payloads\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1566.002\",\n \"T1566.001\"\n ],\n \"mitre_attack_technique\": [\n \"Spearphishing Attachment\",\n \"Spearphishing Link\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Stolen Pencil\",\n \"Gamaredon Group\",\n \"APT41\",\n \"Naikon\",\n \"BRONZE BUTLER\",\n \"Frankenstein\",\n \"TA459\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"Night Dragon\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"APT28\",\n \"Turla\",\n \"Rancor\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"Sandworm Team\",\n \"Gallmaker\",\n \"APT29\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"APT-C-36\",\n \"Machete\",\n \"APT39\",\n \"admin@338\",\n \"Magic Hound\",\n \"Gorgon Group\",\n \"Inception\",\n \"PLATINUM\",\n \"Windshift\",\n \"APT12\",\n \"The White Company\",\n \"Elderwood\",\n \"Kimsuky\",\n \"Darkhotel\",\n \"Mofang\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN4\",\n \"BlackTech\",\n \"TA505\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect Oulook exe writing a zip file\",\n \"id\": \"a51bfe1a-94f0-4822-b1e4-16ae10145893\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk.\",\n \"how_to_implement\": \"You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe OR Processes.process_name=explorer.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| rename parent_process_id as outlook_id| join malicious_id type=inner[| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\\\\\\\Users* OR Filesystem.file_path=*Local\\\\\\\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id| fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != \\\"\\\" | `detect_oulook_exe_writing_a__zip_file_filter` \",\n \"known_false_positives\": \"It is not uncommon for outlook to write legitimate zip files to the disk.\",\n \"tags\": {\n \"analytics_story\": [\n \"Phishing Payloads\"\n ],\n \"mitre_attack_id\": [\n \"T1566.001\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Spearphishing Attachment\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"Windshift\",\n \"APT33\",\n \"Sandworm Team\",\n \"Naikon\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Mofang\",\n \"Wizard Spider\",\n \"RTM\",\n \"Frankenstein\",\n \"Inception\",\n \"BlackTech\",\n \"APT-C-36\",\n \"APT41\",\n \"Machete\",\n \"admin@338\",\n \"Kimsuky\",\n \"APT12\",\n \"TA505\",\n \"Silence\",\n \"The White Company\",\n \"APT39\",\n \"FIN4\",\n \"Darkhotel\",\n \"Gallmaker\",\n \"Tropic Trooper\",\n \"Turla\",\n \"Gorgon Group\",\n \"Rancor\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"FIN7\",\n \"OilRig\",\n \"Lazarus Group\",\n \"APT19\",\n \"Dragonfly 2.0\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"FIN8\",\n \"MuddyWater\",\n \"APT28\",\n \"TA459\",\n \"Leviathan\",\n \"Patchwork\",\n \"PLATINUM\",\n \"Elderwood\",\n \"APT29\",\n \"APT37\",\n \"menuPass\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_oulook_exe_writing_a__zip_file_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious LNK file launching a process\",\n \"id\": \"5d814af1-1041-47b5-a9ac-d754e82e9a26\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for a ``*.lnk` file under `C:\\\\User*` or `*\\\\Local\\\\Temp\\\\*` executing a process. This is common behavior used by various spear phishing tools.\",\n \"how_to_implement\": \"You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon.\",\n \"type\": \"ESCU\",\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name=\\\"*.lnk\\\" AND (Filesystem.file_path=\\\"C:\\\\\\\\Users*\\\" OR Filesystem.file_path=\\\"*Local\\\\\\\\Temp*\\\") by _time span=1h Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_id as lnk_pid | join lnk_pid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_id Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process | `drop_dm_object_name(Processes)` | rename parent_process_id as lnk_pid | fields _time lnk_pid process_id dest process_name process_path process] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_pid, process_id, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `suspicious_lnk_file_launching_a_process_filter` \",\n \"known_false_positives\": \"This detection should yield little or no false positive results. It is uncommon for LNK files to execute process from temporary or user directories.\",\n \"tags\": {\n \"analytics_story\": [\n \"Phishing Payloads\"\n ],\n \"mitre_attack_id\": [\n \"T1566.002\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Spearphishing Link\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"Molerats\",\n \"Mofang\",\n \"BlackTech\",\n \"Machete\",\n \"Kimsuky\",\n \"TA505\",\n \"Stolen Pencil\",\n \"APT39\",\n \"FIN4\",\n \"APT32\",\n \"Night Dragon\",\n \"Turla\",\n \"APT28\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"OilRig\",\n \"APT33\",\n \"Elderwood\",\n \"Leviathan\",\n \"Magic Hound\",\n \"Patchwork\",\n \"APT29\",\n \"FIN8\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_lnk_file_launching_a_process_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"id\": \"988C59C5-0A1C-45B6-A555-0C62276E327E\",\n \"version\": 1,\n \"date\": \"2020-01-22\",\n \"description\": \"Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.\",\n \"narrative\": \"This story was created as a joint effort between iDefense and Splunk.\\\\\\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \\\"Orz,\\\" which is associated with the threat actors known as MUDCARP (as well as \\\"temp.Periscope\\\" and \\\"Leviathan\\\"). The file is executed using Wscript.\\\\\\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run]'help'='c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\rundll32.exe c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\zipfldr.dll,RouteTheCall c:\\\\\\\\programdata\\\\\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\\\\\\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\\\\\\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\\\\\\n\\\\\\n1. www.chemscalere[.]com\\\\\\n1. chemscalere[.]com\\\\\\n1. about.chemscalere[.]com\\\\\\n1. autoconfig.chemscalere[.]com\\\\\\n1. autodiscover.chemscalere[.]com\\\\\\n1. catalog.chemscalere[.]com\\\\\\n1. cpanel.chemscalere[.]com\\\\\\n1. db.chemscalere[.]com\\\\\\n1. ftp.chemscalere[.]com\\\\\\n1. mail.chemscalere[.]com\\\\\\n1. news.chemscalere[.]com\\\\\\n1. update.chemscalere[.]com\\\\\\n1. webmail.chemscalere[.]com\\\\\\n1. www.candlelightparty[.]org\\\\\\n1. candlelightparty[.]org\\\\\\n1. newapp.freshasianews[.]comIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\\\\\\n\\\\\\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\\\\\\n1. b43ad826fe6928245d3c02b648296b43\\\\\\n1. 889a9b52566448231f112a5ce9b5dfaf\\\\\\n1. b8ec65dab97cdef3cd256cc4753f0c54\\\\\\n1. 04d83cd3813698de28cfbba326d7647c\",\n \"author\": \"iDefense Cyber Espionage Team, iDefense\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/\",\n \"http://blog.amossys.fr/badflick-is-not-so-bad.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\",\n \"T1059.003\",\n \"T1059.001\"\n ],\n \"mitre_attack_technique\": [\n \"Windows Command Shell\",\n \"PowerShell\",\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Execution\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Putter Panda\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Rocke\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Honeybee\",\n \"Gamaredon Group\",\n \"Frankenstein\",\n \"TA459\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"Threat Group-3390\",\n \"FIN10\",\n \"APT18\",\n \"APT32\",\n \"Tropic Trooper\",\n \"TEMP.Veles\",\n \"Patchwork\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Ke3chang\",\n \"Rancor\",\n \"CopyKittens\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"APT38\",\n \"Gallmaker\",\n \"APT29\",\n \"Sowbug\",\n \"Silence\",\n \"APT19\",\n \"Molerats\",\n \"APT37\",\n \"menuPass\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"Machete\",\n \"Poseidon Group\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"admin@338\",\n \"Inception\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Thrip\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"Threat Group-1314\",\n \"TA505\",\n \"APT33\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"First time seen command line argument\",\n \"id\": \"9be56c82-b1cc-4318-87eb-q138afaaqa39\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. Please make sure you run the support search \\\"Previously seen command line arguments,\\\"—which creates a lookup file called `previously_seen_cmd_line_arguments.csv`—a historical baseline of all command-line arguments. You must also validate this list. For the search to do accurate calculation, ensure the search scheduling is the same value as the `relative_time` evaluation function.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` \",\n \"known_false_positives\": \"Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Suspicious Command-Line Executions\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Hidden Cobra Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\",\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\",\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\",\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_command_line_argument_filter\"\n }\n ]\n },\n {\n \"name\": \"Malicious PowerShell Process - Connect To Internet With Hidden Window\",\n \"id\": \"ee18ed37-0802-4268-9435-b3b91aaa18db\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for PowerShell processes started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet. This combination of command-line options is suspicious because it's overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\\\"*-Exec*\\\" process=\\\"*-WindowStyle*\\\" process=\\\"*hidden*\\\" process=\\\"*New-Object*\\\" process=\\\"*System.Net.WebClient*\\\" | `malicious_powershell_process___connect_to_internet_with_hidden_window_filter`\",\n \"known_false_positives\": \"Legitimate process can have this combination of command-line options, but it's not common.\",\n \"tags\": {\n \"analytics_story\": [\n \"Malicious PowerShell\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"malicious_powershell_process___connect_to_internet_with_hidden_window_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Persistence\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01a4b\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for modifications to registry keys that can be used to launch an application or service at system startup.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\\\\\\\run* OR Registry.registry_path=*currentVersion\\\\\\\\Windows\\\\\\\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet* OR Registry.registry_path=*currentversion\\\\\\\\policies\\\\\\\\explorer\\\\\\\\run* OR Registry.registry_path=*currentversion\\\\\\\\runservices* OR Registry.registry_path=*\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\* OR Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\" OR Registry.registry_path=HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Netsh\\\\\\\\*) by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_persistence_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Suspicious MSHTA Activity\",\n \"DHS Report TA18-074A\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Windows Persistence Techniques\",\n \"Emotet Malware DHS Report TA18-201A \"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_persistence_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Command Line\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6a4264e7f\",\n \"version\": 4,\n \"date\": \"2020-03-16\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the process field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` | eval threshold = 10 | where maxlen > ((threshold*stdevperhost) + avgperhost)\",\n \"known_false_positives\": \"Some legitimate applications start with long command lines.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_command_line_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Command Line - MLTK\",\n \"id\": \"57edaefa-a73b-45e5-bbae-f39c1473f941\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that monitors command lines and populates the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. In addition, MLTK version >= 4.2 must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of Command Line Length - MLTK\\\" must be executed before this detection search, as it builds an ML model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \\\"IsOutlier(processlen)\\\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`\",\n \"known_false_positives\": \"Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Command Line Length - MLTK\",\n \"id\": \"d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies outliers in the length of the command line.\",\n \"how_to_implement\": \"You must be ingesting endpoint data and populating the Endpoint data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search user!=unknown | `security_content_ctime(start_time)`| `security_content_ctime(end_time)`| eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\",\n \"Unusual Processes\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Unusually Long Command Line - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_command_line___mltk_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"id\": \"6d13121c-90f3-446d-8ac3-27efbbc65218\",\n \"version\": 1,\n \"date\": \"2017-09-11\",\n \"description\": \"Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.\",\n \"narrative\": \"A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Best Practices\"\n ],\n \"mitre_attack_id\": [\n \"T1048\",\n \"T1071.001\",\n \"T1048.003\"\n ],\n \"mitre_attack_technique\": [\n \"Exfiltration Over Alternative Protocol\",\n \"Web Protocols\",\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\",\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Lazarus Group\",\n \"Rocke\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Gamaredon Group\",\n \"Threat Group-3390\",\n \"Night Dragon\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT32\",\n \"Tropic Trooper\",\n \"APT28\",\n \"Turla\",\n \"Ke3chang\",\n \"no\",\n \"Rancor\",\n \"FIN8\",\n \"SilverTerrier\",\n \"APT38\",\n \"Sandworm Team\",\n \"APT19\",\n \"APT37\",\n \"Machete\",\n \"Orangeworm\",\n \"APT39\",\n \"Stealth Falcon\",\n \"Magic Hound\",\n \"Inception\",\n \"Dark Caracal\",\n \"Thrip\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"OilRig\",\n \"FIN4\",\n \"TA505\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect hosts connecting to dynamic domain providers\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6v5464g9f\",\n \"version\": 2,\n \"date\": \"2020-01-16\",\n \"description\": \"Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive command and control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, blacklists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.\",\n \"how_to_implement\": \"First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\\\\\\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Answer, **Field:** answer\\\\\\n1. \\\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\\\"DNS\\\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`\",\n \"known_false_positives\": \"Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"DNS Hijacking\",\n \"Suspicious DNS Traffic\",\n \"Dynamic DNS\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.\",\n \"name\": \"dynamic_dns_providers\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_hosts_connecting_to_dynamic_domain_providers_filter\"\n }\n ]\n },\n {\n \"name\": \"Prohibited Network Traffic Allowed\",\n \"id\": \"ce5a0962-849f-4720-a678-753fe6674479\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table \\\"lookup_interesting_ports\\\", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `prohibited_network_traffic_allowed_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Ransomware\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1048\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Alternative Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"prohibited_network_traffic_allowed_filter\"\n }\n ]\n },\n {\n \"name\": \"Protocol or Port Mismatch\",\n \"id\": \"54dc1265-2f74-4b6d-b30d-49eb506a31b3\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected.\",\n \"how_to_implement\": \"Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `protocol_or_port_mismatch_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"APT33\",\n \"Thrip\",\n \"FIN8\",\n \"OilRig\",\n \"Lazarus Group\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"protocol_or_port_mismatch_filter\"\n }\n ]\n },\n {\n \"name\": \"TOR Traffic\",\n \"id\": \"ea688274-9c06-4473-b951-e4cb7a5d7a45\",\n \"version\": 2,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for network traffic identified as The Onion Router (TOR), a benign anonymity network which can be abused for a variety of nefarious purposes.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `tor_traffic_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Ransomware\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Web Protocols\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"TA505\",\n \"Rocke\",\n \"APT39\",\n \"Tropic Trooper\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Inception\",\n \"APT41\",\n \"SilverTerrier\",\n \"Machete\",\n \"APT28\",\n \"WIRTE\",\n \"APT33\",\n \"FIN4\",\n \"Night Dragon\",\n \"APT18\",\n \"APT38\",\n \"Cobalt Group\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Rancor\",\n \"Orangeworm\",\n \"APT37\",\n \"Ke3chang\",\n \"Dark Caracal\",\n \"Turla\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"OilRig\",\n \"Magic Hound\",\n \"Gamaredon Group\",\n \"Stealth Falcon\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"tor_traffic_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Ransomware\",\n \"id\": \"cf309d0d-d4aa-4fbb-963d-1e79febd3756\",\n \"version\": 1,\n \"date\": \"2020-02-04\",\n \"description\": \"Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.\",\n \"narrative\": \"Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/\",\n \"https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Ransomware\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1485\",\n \"T1070.001\",\n \"T1021.001\",\n \"T1021.002\",\n \"T1070\",\n \"T1048\",\n \"T1036\",\n \"T1547.001\",\n \"T1053.005\",\n \"T1071.001\"\n ],\n \"mitre_attack_technique\": [\n \"Web Protocols\",\n \"SMB/Windows Admin Shares\",\n \"Scheduled Task\",\n \"Indicator Removal on Host\",\n \"Data Destruction\",\n \"Clear Windows Event Logs\",\n \"Registry Run Keys / Startup Folder\",\n \"Exfiltration Over Alternative Protocol\",\n \"Remote Desktop Protocol\",\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Command And Control\",\n \"Impact\",\n \"Lateral Movement\",\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Putter Panda\",\n \"Dragonfly 2.0\",\n \"TA505\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Stolen Pencil\",\n \"Gamaredon Group\",\n \"APT41\",\n \"Honeybee\",\n \"BRONZE BUTLER\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"Cobalt Group\",\n \"Night Dragon\",\n \"APT18\",\n \"FIN10\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"TEMP.Veles\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Ke3chang\",\n \"no\",\n \"Rancor\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"SilverTerrier\",\n \"APT38\",\n \"Sandworm Team\",\n \"APT29\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"Blue Mockingbird\",\n \"Machete\",\n \"APT-C-36\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"Orangeworm\",\n \"Inception\",\n \"Windshift\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Axiom\",\n \"APT3\",\n \"Darkhotel\",\n \"FIN5\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"Threat Group-1314\",\n \"FIN4\",\n \"Rocke\",\n \"APT33\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Common Ransomware Extensions\",\n \"id\": \"a9e5c5db-db11-43ca-86a8-c852d1b2c0ec\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"The search looks for file modifications with extensions commonly used by Ransomware\",\n \"how_to_implement\": \"You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\\\\\\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** Name, **Field:** Name\\\\\\n1. \\\\\\n1. **Label:** File Extension, **Field:** file_extension\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \\\"(?\\\\.[^\\\\.]+)$\\\" | `ransomware_extensions` | `common_ransomware_extensions_filter`\",\n \"known_false_positives\": \"It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False\",\n \"description\": \"This macro limits the output to files that have extensions associated with ransomware\",\n \"name\": \"ransomware_extensions\"\n },\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"common_ransomware_extensions_filter\"\n }\n ]\n },\n {\n \"name\": \"Common Ransomware Notes\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d82362d6bd71\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.\",\n \"how_to_implement\": \"You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`\",\n \"known_false_positives\": \"It's possible that a legitimate file could be created with the same name used by ransomware note files.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \\\"Known Ransomware Notes\\\" | search \\\"Known Ransomware Notes\\\"=True\",\n \"description\": \"This macro limits the output to files that have been identified as a ransomware note\",\n \"name\": \"ransomware_notes\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"common_ransomware_notes_filter\"\n }\n ]\n },\n {\n \"name\": \"Deleting Shadow Copies\",\n \"id\": \"b89919ed-ee5f-492c-b139-95dbb162039e\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*delete* AND process=*shadow* | `deleting_shadow_copies_filter`\",\n \"known_false_positives\": \"vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1485\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 10\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Data Destruction\"\n ],\n \"mitre_attack_tactics\": [\n \"Impact\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Lazarus Group\",\n \"APT38\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"deleting_shadow_copies_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Persistence\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01a4b\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for modifications to registry keys that can be used to launch an application or service at system startup.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\\\\\\\run* OR Registry.registry_path=*currentVersion\\\\\\\\Windows\\\\\\\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet* OR Registry.registry_path=*currentversion\\\\\\\\policies\\\\\\\\explorer\\\\\\\\run* OR Registry.registry_path=*currentversion\\\\\\\\runservices* OR Registry.registry_path=*\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\* OR Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\" OR Registry.registry_path=HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Netsh\\\\\\\\*) by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_persistence_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Suspicious MSHTA Activity\",\n \"DHS Report TA18-074A\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Windows Persistence Techniques\",\n \"Emotet Malware DHS Report TA18-201A \"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_persistence_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Process Instantiation via WMI\",\n \"id\": \"d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for wmic.exe being launched with parameters to spawn a process on a remote system.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wmic.exe Processes.process=\\\"*/node*\\\" Processes.process=\\\"*process*\\\" Processes.process=\\\"*call*\\\" Processes.process=\\\"*create*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`\",\n \"known_false_positives\": \"The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon.\",\n \"tags\": {\n \"analytics_story\": [\n \"Ransomware\",\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_process_instantiation_via_wmi_filter\"\n }\n ]\n },\n {\n \"name\": \"Scheduled tasks used in BadRabbit ransomware\",\n \"id\": \"1297fb80-f42a-4b4a-9c8b-78c066437cf6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= \\\"*create*\\\" OR Processes.process= \\\"*delete*\\\") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`\",\n \"known_false_positives\": \"No known false positives\",\n \"tags\": {\n \"analytics_story\": [\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1053.005\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Scheduled Task\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT-C-36\",\n \"BRONZE BUTLER\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Silence\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Dragonfly 2.0\",\n \"Patchwork\",\n \"OilRig\",\n \"Rancor\",\n \"Cobalt Group\",\n \"FIN8\",\n \"menuPass\",\n \"FIN10\",\n \"APT32\",\n \"FIN7\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"APT3\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"scheduled_tasks_used_in_badrabbit_ransomware_filter\"\n }\n ]\n },\n {\n \"name\": \"Schtasks used for forcing a reboot\",\n \"id\": \"1297fb80-f42a-4b4a-9c8a-88c066437cf6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system is scheduled.\",\n \"how_to_implement\": \"To successfully implement this search you need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = schtasks.exe Processes.process=\\\"*shutdown*\\\" Processes.process=\\\"*/r*\\\" Processes.process=\\\"*/f*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`\",\n \"known_false_positives\": \"Administrators may create jobs on systems forcing reboots to perform updates, maintenance, etc.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Persistence Techniques\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1053.005\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Scheduled Task\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT-C-36\",\n \"BRONZE BUTLER\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Silence\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Dragonfly 2.0\",\n \"Patchwork\",\n \"OilRig\",\n \"Rancor\",\n \"Cobalt Group\",\n \"FIN8\",\n \"menuPass\",\n \"FIN10\",\n \"APT32\",\n \"FIN7\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"APT3\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"schtasks_used_for_forcing_a_reboot_filter\"\n }\n ]\n },\n {\n \"name\": \"Spike in File Writes\",\n \"id\": \"fdb0f805-74e4-4539-8c00-618927333aae\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"The search looks for a sharp increase in the number of files written to a particular host\",\n \"how_to_implement\": \"In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response products, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \\\"-1d@d\\\"), count, null))) as \\\"count\\\" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter` \",\n \"known_false_positives\": \"It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"spike_in_file_writes_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious wevtutil Usage\",\n \"id\": \"2827c0fd-e1be-4868-ae25-59d28e0f9d4f\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, or system event logs.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wevtutil.exe Processes.process=\\\"*cl*\\\" (Processes.process=\\\"*System*\\\" OR Processes.process=\\\"*Security*\\\" OR Processes.process=\\\"*Setup*\\\" OR Processes.process=\\\"*Application*\\\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`\",\n \"known_false_positives\": \"The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1070.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 6\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [\n \"Clear Windows Event Logs\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT32\",\n \"FIN8\",\n \"FIN5\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_wevtutil_usage_filter\"\n }\n ]\n },\n {\n \"name\": \"System Processes Run From Unexpected Locations\",\n \"id\": \"a34aae96-ccf8-4aef-952c-3ea21444444d\",\n \"version\": 5,\n \"date\": \"2020-02-04\",\n \"description\": \"This search looks for system processes that normally run out of C:\\\\Windows\\\\System32\\\\ or C:\\\\Windows\\\\SysWOW64 that are not run from that location. This can indicate a malicious process that is trying to hide as a legitimate process.\",\n \"how_to_implement\": \"To successfully implement this search you need to ingest details about process execution from your hosts. Specifically, this search requires the process name and the full path to the process executable.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !=\\\"C:\\\\\\\\Windows\\\\\\\\System32*\\\" Processes.process_path !=\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64*\\\" by Processes.user Processes.dest Processes.process_name Processes.process_id Processes.process_path Processes.parent_process_name Processes.process_hash| `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file` | `system_processes_run_from_unexpected_locations_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true\",\n \"description\": \"This macro limits the output to process names that are in the Windows System directory\",\n \"name\": \"is_windows_system_file\"\n },\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"system_processes_run_from_unexpected_locations_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Command Line\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6a4264e7f\",\n \"version\": 4,\n \"date\": \"2020-03-16\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the process field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` | eval threshold = 10 | where maxlen > ((threshold*stdevperhost) + avgperhost)\",\n \"known_false_positives\": \"Some legitimate applications start with long command lines.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_command_line_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Command Line - MLTK\",\n \"id\": \"57edaefa-a73b-45e5-bbae-f39c1473f941\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that monitors command lines and populates the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. In addition, MLTK version >= 4.2 must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of Command Line Length - MLTK\\\" must be executed before this detection search, as it builds an ML model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \\\"IsOutlier(processlen)\\\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`\",\n \"known_false_positives\": \"Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Command Line Length - MLTK\",\n \"id\": \"d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies outliers in the length of the command line.\",\n \"how_to_implement\": \"You must be ingesting endpoint data and populating the Endpoint data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search user!=unknown | `security_content_ctime(start_time)`| `security_content_ctime(end_time)`| eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\",\n \"Unusual Processes\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Unusually Long Command Line - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_command_line___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"USN Journal Deletion\",\n \"id\": \"b6e0ff70-b122-4227-9368-4cf322ab43c3\",\n \"version\": 2,\n \"date\": \"2018-12-03\",\n \"description\": \"The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\\\"*deletejournal*\\\" AND process=\\\"*usn*\\\" | `usn_journal_deletion_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1070\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\",\n \"CIS 10\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.DP\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Indicator Removal on Host\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"usn_journal_deletion_filter\"\n }\n ]\n },\n {\n \"name\": \"Windows Event Log Cleared\",\n \"id\": \"ad517544-aff9-4c96-bd99-d6eb43bfbb6a\",\n \"version\": 4,\n \"date\": \"2020-07-06\",\n \"description\": \"This search looks for Windows events that indicate one of the Windows event logs has been purged.\",\n \"how_to_implement\": \"To successfully implement this search, you need to be ingesting Windows event logs from your hosts.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"(`wineventlog_security` (EventCode=1102 OR EventCode=1100)) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`\",\n \"known_false_positives\": \"It is possible that these logs may be legitimately cleared by Administrators.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1070.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 6\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"PR.IP\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Clear Windows Event Logs\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT32\",\n \"FIN8\",\n \"FIN5\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"definition\": \"eventtype=wineventlog_system\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_system\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"windows_event_log_cleared_filter\"\n }\n ]\n },\n {\n \"name\": \"Prohibited Network Traffic Allowed\",\n \"id\": \"ce5a0962-849f-4720-a678-753fe6674479\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table \\\"lookup_interesting_ports\\\", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `prohibited_network_traffic_allowed_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Ransomware\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1048\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Alternative Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"prohibited_network_traffic_allowed_filter\"\n }\n ]\n },\n {\n \"name\": \"SMB Traffic Spike\",\n \"id\": \"7f5fb3e1-4209-4914-90db-0ec21b936378\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for spikes in the number of Server Message Block (SMB) traffic connections.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic logs and populating the `Network_Traffic` data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | `drop_dm_object_name(\\\"All_Traffic\\\")` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \\\"-70m@m\\\"), count, null))) as count avg(eval(if(_time upperBound AND num_data_samples >=50, 1, 0) | where isOutlier=1 | table src count | `smb_traffic_spike_filter` \",\n \"known_false_positives\": \"A file server may experience high-demand loads that could cause this analytic to trigger.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1021.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT32\",\n \"Orangeworm\",\n \"FIN8\",\n \"APT3\",\n \"Lazarus Group\",\n \"Threat Group-1314\",\n \"Turla\",\n \"Deep Panda\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"smb_traffic_spike_filter\"\n }\n ]\n },\n {\n \"name\": \"SMB Traffic Spike - MLTK\",\n \"id\": \"d25773ba-9ad8-48d1-858e-07ad0bbeb828\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search uses the Machine Learning Toolkit (MLTK) to identify spikes in the number of Server Message Block (SMB) connections.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of SMB Traffic - MLTK\\\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\\\\nThis search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry): \\\\\\n1. **Label:** Number of events, **Field:** count\\\\\\nDetailed documentation on how to create a new field within Incident Review is found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(All_Traffic)` | apply smb_pdfmodel threshold=0.001 | rename \\\"IsOutlier(count)\\\" as isOutlier | search isOutlier > 0 | sort -count | table _time src dest port count | `smb_traffic_spike___mltk_filter` \",\n \"known_false_positives\": \"If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the `smb_traffic_spike_mltk_filter` macro to filter out false positive results\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1021.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"SMB/Windows Admin Shares\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT32\",\n \"Orangeworm\",\n \"FIN8\",\n \"APT3\",\n \"Lazarus Group\",\n \"Threat Group-1314\",\n \"Turla\",\n \"Deep Panda\",\n \"Ke3chang\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of SMB Traffic - MLTK\",\n \"id\": \"df98763b-0b08-4281-8ef9-08db7ac572a9\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.\",\n \"how_to_implement\": \"You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \\\"src\\\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(\\\"All_Traffic\\\")` | fit DensityFunction count by \\\"HourOfDay,DayOfWeek\\\" into smb_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Ransomware\"\n ],\n \"detections\": [\n \"Processes launching netsh\",\n \"SMB Traffic Spike - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"smb_traffic_spike___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"TOR Traffic\",\n \"id\": \"ea688274-9c06-4473-b951-e4cb7a5d7a45\",\n \"version\": 2,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for network traffic identified as The Onion Router (TOR), a benign anonymity network which can be abused for a variety of nefarious purposes.\",\n \"how_to_implement\": \"In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `tor_traffic_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"Ransomware\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.001\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Web Protocols\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"TA505\",\n \"Rocke\",\n \"APT39\",\n \"Tropic Trooper\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Inception\",\n \"APT41\",\n \"SilverTerrier\",\n \"Machete\",\n \"APT28\",\n \"WIRTE\",\n \"APT33\",\n \"FIN4\",\n \"Night Dragon\",\n \"APT18\",\n \"APT38\",\n \"Cobalt Group\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Rancor\",\n \"Orangeworm\",\n \"APT37\",\n \"Ke3chang\",\n \"Dark Caracal\",\n \"Turla\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"OilRig\",\n \"Magic Hound\",\n \"Gamaredon Group\",\n \"Stealth Falcon\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"tor_traffic_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Router and Infrastructure Security\",\n \"id\": \"91c676cf-0b23-438d-abee-f6335e177e77\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.\",\n \"narrative\": \"Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\\\\\\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure— effectively increasing the attack surface and accessing private services/data.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html\",\n \"https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Router and Infrastructure Security\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Best Practices\"\n ],\n \"mitre_attack_id\": [\n \"T1557\",\n \"T1200\",\n \"T1498\"\n ],\n \"mitre_attack_technique\": [\n \"Man-in-the-Middle\",\n \"Hardware Additions\",\n \"Network Denial of Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Credential Access\",\n \"Impact\",\n \"Initial Access\",\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\",\n \"DarkVishnya\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect New Login Attempts to Routers\",\n \"id\": \"104658f4-afdc-499e-9719-17243rr826f1\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Framework, to identify connections that have not been seen before in the last 30 days.\",\n \"how_to_implement\": \"To successfully implement this search, you must ensure the network router devices are categorized as \\\"router\\\" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user| eval isOutlier=if(earliest >= relative_time(now(), \\\"-30d@d\\\"), 1, 0) | where isOutlier=1| `security_content_ctime(earliest)`| `security_content_ctime(latest)` | `drop_dm_object_name(\\\"Authentication\\\")` | `detect_new_login_attempts_to_routers_filter`\",\n \"known_false_positives\": \"Legitimate router connections may appear as new connections\",\n \"tags\": {\n \"analytics_story\": [\n \"Router and Infrastructure Security\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 11\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_login_attempts_to_routers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect ARP Poisoning\",\n \"id\": \"b44bebd6-bd39-467b-9321-73971bcd7aac\",\n \"version\": 1,\n \"date\": \"2020-08-11\",\n \"description\": \"By enabling Dynamic ARP Inspection as a Layer 2 Security measure on the organization's network devices, we will be able to detect ARP Poisoning attacks in the Infrastructure.\",\n \"how_to_implement\": \"This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and Dynamic ARP Inspection (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01111.html) and log with a severity level of minimum \\\"5 - notification\\\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Mikael Bjerkeland, Splunk\",\n \"search\": \"`cisco_networks` facility=\\\"PM\\\" mnemonic=\\\"ERR_DISABLE\\\" disable_cause=\\\"arp-inspection\\\" | eval src_interface=src_int_prefix_long+src_int_suffix | stats min(_time) AS firstTime max(_time) AS lastTime count BY host src_interface | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_arp_poisoning_filter`\",\n \"known_false_positives\": \"This search might be prone to high false positives if DHCP Snooping or ARP inspection has been incorrectly configured, or if a device normally sends many ARP packets (unlikely).\",\n \"tags\": {\n \"analytics_story\": [\n \"Router and Infrastructure Security\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\",\n \"Delivery\",\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1200\",\n \"T1498\",\n \"T1557\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 11\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"detection_name\": \"Detect ARP Poisoning\",\n \"security_domain\": \"network\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Hardware Additions\",\n \"Network Denial of Service\",\n \"Man-in-the-Middle\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\",\n \"Impact\",\n \"Credential Access\",\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"DarkVishnya\",\n \"no\",\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=cisco_ios\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cisco_networks\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_arp_poisoning_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Rogue DHCP Server\",\n \"id\": \"6e1ada88-7a0d-4ac1-92c6-03d354686079\",\n \"version\": 1,\n \"date\": \"2020-08-11\",\n \"description\": \"By enabling DHCP Snooping as a Layer 2 Security measure on the organization's network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack).\",\n \"how_to_implement\": \"This search uses a standard SPL query on logs from Cisco Network devices. The network devices must be configured with DHCP Snooping enabled (see https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html) and log with a severity level of minimum \\\"5 - notification\\\". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Mikael Bjerkeland, Splunk\",\n \"search\": \"`cisco_networks` facility=\\\"DHCP_SNOOPING\\\" mnemonic=\\\"DHCP_SNOOPING_UNTRUSTED_PORT\\\" | stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `detect_rogue_dhcp_server_filter`\",\n \"known_false_positives\": \"This search might be prone to high false positives if DHCP Snooping has been incorrectly configured or in the unlikely event that the DHCP server has been moved to another network interface.\",\n \"tags\": {\n \"analytics_story\": [\n \"Router and Infrastructure Security\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\",\n \"Delivery\",\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1200\",\n \"T1498\",\n \"T1557\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 11\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"detection_name\": \"Detect Rogue DHCP Server\",\n \"security_domain\": \"network\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Hardware Additions\",\n \"Network Denial of Service\",\n \"Man-in-the-Middle\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\",\n \"Impact\",\n \"Credential Access\",\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"DarkVishnya\",\n \"no\",\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=cisco_ios\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cisco_networks\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_rogue_dhcp_server_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"SamSam Ransomware\",\n \"id\": \"c4b89506-fbcf-4cb7-bfd6-527e54789604\",\n \"version\": 1,\n \"date\": \"2018-12-13\",\n \"description\": \"Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.\",\n \"narrative\": \"The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\\\\\\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \\\"spray-and-pray\\\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\\\\\\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\\\\\\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\\\\\\nAccording to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\\\\\\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\",\n \"https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/\",\n \"https://thehackernews.com/2018/07/samsam-ransomware-attacks.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"SamSam Ransomware\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1485\",\n \"T1059.003\",\n \"T1021.001\",\n \"T1059.001\",\n \"T1082\"\n ],\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\",\n \"System Information Discovery\",\n \"Data Destruction\",\n \"Windows Command Shell\",\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Impact\",\n \"Lateral Movement\",\n \"Discovery\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Stolen Pencil\",\n \"Rocke\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Honeybee\",\n \"Gamaredon Group\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"TA459\",\n \"APT18\",\n \"FIN10\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"TEMP.Veles\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Rancor\",\n \"CopyKittens\",\n \"FIN8\",\n \"APT38\",\n \"Sandworm Team\",\n \"Gallmaker\",\n \"Sowbug\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"APT33\",\n \"Poseidon Group\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"admin@338\",\n \"Inception\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Axiom\",\n \"Thrip\",\n \"APT3\",\n \"Darkhotel\",\n \"APT29\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"Leviathan\",\n \"OilRig\",\n \"Threat Group-1314\",\n \"FIN6\",\n \"TA505\",\n \"Ke3chang\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Batch File Write to System32\",\n \"id\": \"503d17cb-9eab-4cf8-a20e-01d5c6987ae3\",\n \"version\": 1,\n \"date\": \"2018-12-14\",\n \"description\": \"The search looks for a batch file (.bat) written to the Windows system directory tree.\",\n \"how_to_implement\": \"You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \\\"(?\\\\.[^\\\\.]+)$\\\" | search file_path=*system32* AND file_extension=.bat | `batch_file_write_to_system32_filter`\",\n \"known_false_positives\": \"It is possible for this search to generate a notable event for a batch file write to a path that includes the string \\\"system32\\\", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"batch_file_write_to_system32_filter\"\n }\n ]\n },\n {\n \"name\": \"Common Ransomware Extensions\",\n \"id\": \"a9e5c5db-db11-43ca-86a8-c852d1b2c0ec\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"The search looks for file modifications with extensions commonly used by Ransomware\",\n \"how_to_implement\": \"You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\\\\\\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** Name, **Field:** Name\\\\\\n1. \\\\\\n1. **Label:** File Extension, **Field:** file_extension\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \\\"(?\\\\.[^\\\\.]+)$\\\" | `ransomware_extensions` | `common_ransomware_extensions_filter`\",\n \"known_false_positives\": \"It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False\",\n \"description\": \"This macro limits the output to files that have extensions associated with ransomware\",\n \"name\": \"ransomware_extensions\"\n },\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"common_ransomware_extensions_filter\"\n }\n ]\n },\n {\n \"name\": \"Common Ransomware Notes\",\n \"id\": \"ada0f478-84a8-4641-a3f1-d82362d6bd71\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.\",\n \"how_to_implement\": \"You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`\",\n \"known_false_positives\": \"It's possible that a legitimate file could be created with the same name used by ransomware note files.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \\\"Known Ransomware Notes\\\" | search \\\"Known Ransomware Notes\\\"=True\",\n \"description\": \"This macro limits the output to files that have been identified as a ransomware note\",\n \"name\": \"ransomware_notes\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"common_ransomware_notes_filter\"\n }\n ]\n },\n {\n \"name\": \"Deleting Shadow Copies\",\n \"id\": \"b89919ed-ee5f-492c-b139-95dbb162039e\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*delete* AND process=*shadow* | `deleting_shadow_copies_filter`\",\n \"known_false_positives\": \"vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1485\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 10\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Data Destruction\"\n ],\n \"mitre_attack_tactics\": [\n \"Impact\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Lazarus Group\",\n \"APT38\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"deleting_shadow_copies_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect PsExec With accepteula Flag\",\n \"id\": \"b89919ed-fe5f-492c-b139-151xb162040e\",\n \"version\": 2,\n \"date\": \"2019-02-26\",\n \"description\": \"This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = PsExec.exe Processes.process = \\\"*accepteula*\\\" by Processes.process_name Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`\",\n \"known_false_positives\": \"Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\",\n \"T1059.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\",\n \"PowerShell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\",\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_psexec_with_accepteula_flag_filter\"\n }\n ]\n },\n {\n \"name\": \"File with Samsam Extension\",\n \"id\": \"02c6cfc2-ae66-4735-bfc7-6291da834cbf\",\n \"version\": 1,\n \"date\": \"2018-12-14\",\n \"description\": \"The search looks for file writes with extensions consistent with a SamSam ransomware attack.\",\n \"how_to_implement\": \"You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`| rex field=file_name \\\"(?\\\\.[^\\\\.]+)$\\\" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter`\",\n \"known_false_positives\": \"Because these extensions are not typically used in normal operations, you should investigate all results.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"file_with_samsam_extension_filter\"\n }\n ]\n },\n {\n \"name\": \"Prohibited Software On Endpoint\",\n \"id\": \"a51bfe1a-94f0-48cc-b4e4-b6ae50145893\",\n \"version\": 2,\n \"date\": \"2019-10-11\",\n \"description\": \"This search looks for applications on the endpoint that you have marked as prohibited.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings. In addition, you must also have only the `process_name` (not the entire process path) marked as \\\"prohibited\\\" in the Enterprise Security `interesting processes` table. To include the process names marked as \\\"prohibited\\\", which is included with ES Content Updates, run the included search Add Prohibited Processes to Enterprise Security.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_softwares` | `prohibited_software_on_endpoint_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor for Unauthorized Software\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Add Prohibited Processes to Enterprise Security\",\n \"id\": \"251930a5-1451-4428-bb13-eed5775be0ce\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search takes the existing interesting process table from ES, filters out any existing additions added by ESCU and then updates the table with processes identified by ESCU that should be prohibited on your endpoints.\",\n \"how_to_implement\": \"This search should be run on each new install of ESCU.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| inputlookup interesting_processes_lookup | search note!=ESCU* | inputlookup append=T prohibitedProcesses_lookup | fillnull value=* dest dest_pci_domain | fillnull value=false is_required is_secure | fillnull value=true is_prohibited | outputlookup interesting_processes_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Monitor for Unauthorized Software\",\n \"SamSam Ransomware\"\n ],\n \"detections\": [\n \"Prohibited Software On Endpoint\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup interesting_processes_lookup app as process_name OUTPUT is_prohibited | search is_prohibited=True\",\n \"description\": \"This macro limits the output to process_names that have been marked as prohibited\",\n \"name\": \"prohibited_softwares\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"prohibited_software_on_endpoint_filter\"\n }\n ]\n },\n {\n \"name\": \"Samsam Test File Write\",\n \"id\": \"69c12d59-d951-431e-ab77-ec426b8d65e6\",\n \"version\": 1,\n \"date\": \"2018-12-14\",\n \"description\": \"The search looks for a file named \\\"test.txt\\\" written to the windows system directory tree, which is consistent with Samsam propagation.\",\n \"how_to_implement\": \"You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\\\\\\\windows\\\\\\\\system32\\\\\\\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`\",\n \"known_false_positives\": \"No false positives have been identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"samsam_test_file_write_filter\"\n }\n ]\n },\n {\n \"name\": \"Spike in File Writes\",\n \"id\": \"fdb0f805-74e4-4539-8c00-618927333aae\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"The search looks for a sharp increase in the number of files written to a particular host\",\n \"how_to_implement\": \"In order to implement this search, you must populate the Endpoint file-system data model node. This is typically populated via endpoint detection and response products, such as Carbon Black or endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the file system.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` | eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, \\\"-1d@d\\\"), count, null))) as \\\"count\\\" avg(eval(if(_time upperBound) AND num_data_samples >=20, 1, 0) | search isOutlier=1 | `spike_in_file_writes_filter` \",\n \"known_false_positives\": \"It is important to understand that if you happen to install any new applications on your hosts or are copying a large number of files, you can expect to see a large increase of file modifications.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"spike_in_file_writes_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Desktop Network Bruteforce\",\n \"id\": \"a98727cc-286b-4ff2-b898-41df64695923\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation of the average traffic.\",\n \"how_to_implement\": \"You must ensure that your network traffic data is populating the Network_Traffic data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`\",\n \"known_false_positives\": \"RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\",\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 12\",\n \"CIS 9\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_desktop_network_bruteforce_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Desktop Network Traffic\",\n \"id\": \"272b8407-842d-4b3d-bead-a704584003d3\",\n \"version\": 3,\n \"date\": \"2020-07-07\",\n \"description\": \"This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search allows for whitelisting both source and destination hosts to remove them from the output of the search so you can focus on the uncommon uses of remote desktop on your network.\",\n \"how_to_implement\": \"To successfully implement this search you need to identify systems that commonly originate remote desktop traffic and that commonly receive remote desktop traffic. You can use the included support search \\\"Identify Systems Creating Remote Desktop Traffic\\\" to identify systems that originate the traffic and the search \\\"Identify Systems Receiving Remote Desktop Traffic\\\" to identify systems that receive a lot of remote desktop traffic. After identifying these systems, you will need to add the \\\"common_rdp_source\\\" or \\\"common_rdp_destination\\\" category to that system depending on the usage, using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in SA-IdentityManagement/lookups.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(\\\"All_Traffic\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_desktop_network_traffic_filter` \",\n \"known_false_positives\": \"Remote Desktop may be used legitimately by users on the network.\",\n \"tags\": {\n \"analytics_story\": [\n \"SamSam Ransomware\",\n \"Hidden Cobra Malware\",\n \"Lateral Movement\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 9\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_desktop_network_traffic_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect attackers scanning for vulnerable JBoss servers\",\n \"id\": \"104658f4-afdc-499e-9719-17243f982681\",\n \"version\": 1,\n \"date\": \"2017-09-23\",\n \"description\": \"This search looks for specific GET or HEAD requests to web servers that are indicative of reconnaissance attempts to identify vulnerable JBoss servers. JexBoss is described as the exploit tool of choice for this malicious activity.\",\n \"how_to_implement\": \"You must be ingesting data from the web server or network traffic that contains web specific information, and populating the Web data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\\\"GET\\\" OR Web.http_method=\\\"HEAD\\\") AND (Web.url=\\\"*/web-console/ServerInfo.jsp*\\\" OR Web.url=\\\"*web-console*\\\" OR Web.url=\\\"*jmx-console*\\\" OR Web.url = \\\"*invoker*\\\") by Web.http_method, Web.url, Web.src, Web.dest | `drop_dm_object_name(\\\"Web\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`\",\n \"known_false_positives\": \"It's possible for legitimate HTTP requests to be made to URLs containing the suspicious paths.\",\n \"tags\": {\n \"analytics_story\": [\n \"JBoss Vulnerability\",\n \"SamSam Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1082\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Web Server\",\n \"mitre_attack_technique\": [\n \"System Information Discovery\"\n ],\n \"mitre_attack_tactics\": [\n \"Discovery\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Sandworm Team\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"Inception\",\n \"Kimsuky\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"Honeybee\",\n \"APT19\",\n \"APT37\",\n \"APT32\",\n \"Magic Hound\",\n \"OilRig\",\n \"APT3\",\n \"Sowbug\",\n \"Gamaredon Group\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"admin@338\",\n \"Turla\",\n \"Ke3chang\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_attackers_scanning_for_vulnerable_jboss_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect malicious requests to exploit JBoss servers\",\n \"id\": \"c8bff7a4-11ea-4416-a27d-c5bca472913d\",\n \"version\": 1,\n \"date\": \"2017-09-23\",\n \"description\": \"This search is used to detect malicious HTTP requests crafted to exploit jmx-console in JBoss servers. The malicious requests have a long URL length, as the payload is embedded in the URL.\",\n \"how_to_implement\": \"You must ingest data from the web server or capture network data that contains web specific information with solutions such as Bro or Splunk Stream, and populating the Web data model\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.http_method=\\\"GET\\\" OR Web.http_method=\\\"HEAD\\\") by Web.http_method, Web.url,Web.url_length Web.src, Web.dest | search Web.url=\\\"*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*\\\" AND Web.url_length > 200 | `drop_dm_object_name(\\\"Web\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table src, dest_ip, http_method, url, firstTime, lastTime | `detect_malicious_requests_to_exploit_jboss_servers_filter`\",\n \"known_false_positives\": \"No known false positives for this detection.\",\n \"tags\": {\n \"analytics_story\": [\n \"JBoss Vulnerability\",\n \"SamSam Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 12\",\n \"CIS 4\",\n \"CIS 18\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"PR.PT\",\n \"PR.IP\",\n \"DE.AE\",\n \"PR.MA\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Web Server\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_malicious_requests_to_exploit_jboss_servers_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Spectre And Meltdown Vulnerabilities\",\n \"id\": \"6d3306f6-bb2b-4219-8609-8efad64032f2\",\n \"version\": 1,\n \"date\": \"2018-01-08\",\n \"description\": \"Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.\",\n \"narrative\": \"Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://meltdownattack.com/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Spectre And Meltdown Vulnerabilities\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Vulnerability\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Spectre and Meltdown Vulnerable Systems\",\n \"id\": \"354be8e0-32cd-4da0-8c47-796de13b60ea\",\n \"version\": 1,\n \"date\": \"2017-01-07\",\n \"description\": \"The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.\",\n \"how_to_implement\": \"The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve =\\\"CVE-2017-5753\\\" OR Vulnerabilities.cve =\\\"CVE-2017-5715\\\" OR Vulnerabilities.cve =\\\"CVE-2017-5754\\\" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter`\",\n \"known_false_positives\": \"It is possible that your vulnerability scanner is not detecting that the patches have been applied.\",\n \"tags\": {\n \"analytics_story\": [\n \"Spectre And Meltdown Vulnerabilities\"\n ],\n \"cis20\": [\n \"CIS 4\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"RS.MI\",\n \"PR.IP\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Systems Ready for Spectre-Meltdown Windows Patch\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd61\",\n \"version\": 1,\n \"date\": \"2018-01-08\",\n \"description\": \"Some AV applications can cause the Spectre/Meltdown patch for Windows not to install successfully. This registry key is supposed to be created by the AV engine when it has been patched to be able to handle the Windows patch. If this key has been written, the system can then be patched for Spectre and Meltdown.\",\n \"how_to_implement\": \"You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path=\\\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\QualityCompat*\\\") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\\\"All_Changes\\\")`\",\n \"tags\": {\n \"analytics_story\": [\n \"Spectre And Meltdown Vulnerabilities\"\n ],\n \"detections\": [\n \"Spectre and Meltdown Vulnerable Systems\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"spectre_and_meltdown_vulnerable_systems_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Splunk Enterprise Vulnerability\",\n \"id\": \"4e692b96-de2d-4bd1-9105-37e2368a8db1\",\n \"version\": 1,\n \"date\": \"2017-09-19\",\n \"description\": \"Keeping your Splunk deployment up to date is critical and may help you reduce the risk of CVE-2016-4859, an open-redirection vulnerability within some older versions of Splunk Enterprise. The detection search will help ensure that users are being properly authenticated and not being redirected to malicious domains.\",\n \"narrative\": \"This Analytic Story is associated with CVE-2016-4859, an open-redirect vulnerability in the following versions of Splunk Enterprise:\\\\\\n\\\\\\n1. Splunk Enterprise 6.4.x, prior to 6.4.3\\\\\\n1. Splunk Enterprise 6.3.x, prior to 6.3.6\\\\\\n1. Splunk Enterprise 6.2.x, prior to 6.2.10\\\\\\n1. Splunk Enterprise 6.1.x, prior to 6.1.11\\\\\\n1. Splunk Enterprise 6.0.x, prior to 6.0.12\\\\\\n1. Splunk Enterprise 5.0.x, prior to 5.0.16\\\\\\n1. Splunk Light, prior to 6.4.3CVE-2016-4859 allows attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. (Credit: Noriaki Iwasaki, Cyber Defense Institute, Inc.).\\\\\\nIt is important to ensure that your Splunk deployment is being kept up to date and is properly configured. This detection search allows analysts to monitor internal logs to ensure users are properly authenticated and cannot be redirected to any malicious third-party websites.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"http://www.splunk.com/view/SP-CAAAPQ6#announce\",\n \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4859\"\n ],\n \"tags\": {\n \"analytics_story\": \"Splunk Enterprise Vulnerability\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Vulnerability\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Open Redirect in Splunk Web\",\n \"id\": \"d199fb99-2312-451a-9daa-e5efa6ed76a7\",\n \"version\": 1,\n \"date\": \"2017-09-19\",\n \"description\": \"This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability.\",\n \"how_to_implement\": \"No extra steps needed to implement this search.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"index=_internal sourcetype=splunk_web_access return_to=\\\"/%09/*\\\" | `open_redirect_in_splunk_web_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Splunk Enterprise Vulnerability\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 4\",\n \"CIS 18\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"RS.MI\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.IP\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Splunk Server\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"open_redirect_in_splunk_web_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Splunk Enterprise Vulnerability CVE-2018-11409\",\n \"id\": \"1fc34cbc-34e9-43ba-87ab-6811c9e95400\",\n \"version\": 1,\n \"date\": \"2018-06-14\",\n \"description\": \"Reduce the risk of CVE-2018-11409, an information disclosure vulnerability within some older versions of Splunk Enterprise, with searches designed to help ensure that your Splunk system does not leak information to authenticated users.\",\n \"narrative\": \"Although there have been no reports of it being exploited, Splunk Enterprise versions through 7.0.1 reportedly have a vulnerability that may expose information through a REST endpoint (read more here: https://www.splunk.com/view/SP-CAAAP5E#VulnerabilityDescriptionsandRatings). NIST has included it in its vulnerability database (read more here: https://nvd.nist.gov/vuln/detail/CVE-2018-11409). The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Customers should upgrade to the latest version to reduce the risk of this vulnerability.\\\\\\nSplunk Enterprise exposes partial information about the host operating system, hardware, and Splunk license. Splunk Enterprise before 6.6.0 exposes this information without authentication. Splunk Enterprise 6.6.0 and later exposes this information only to authenticated Splunk users. Based on the information exposure, Splunk characterizes this issue as a low severity impact.\\\\\\nRead more in Splunk's official response: https://www.splunk.com/view/SP-CAAAP5E#VulnerabilityDescriptionsandRatings.\\\\\\nA detection search within this Analytic Story looks for vulnerabilities described in CVE-2018-11409: Information Exposure (https://nvd.nist.gov/vuln/detail/CVE-2018-11409). If it turns up activities that may be specific, you can use the included investigative searches to return information regarding web activity and network traffic by src_ip.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://nvd.nist.gov/vuln/detail/CVE-2018-11409\",\n \"https://www.splunk.com/view/SP-CAAAP5E#VulnerabilityDescriptionsandRatings\",\n \"https://www.exploit-db.com/exploits/44865/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Splunk Enterprise Vulnerability CVE-2018-11409\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Vulnerability\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Splunk Enterprise Information Disclosure\",\n \"id\": \"f6a26b7b-7e80-4963-a9a8-d836e7534ebd\",\n \"version\": 1,\n \"date\": \"2018-06-14\",\n \"description\": \"This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug.\",\n \"how_to_implement\": \"The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path=\\\"*raw/services/server/info/server-info\\\" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter`\",\n \"known_false_positives\": \"Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information.\",\n \"tags\": {\n \"analytics_story\": [\n \"Splunk Enterprise Vulnerability CVE-2018-11409\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 4\",\n \"CIS 18\"\n ],\n \"nist\": [\n \"ID.RA\",\n \"RS.MI\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.IP\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Splunk Server\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"splunk_enterprise_information_disclosure_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"SQL Injection\",\n \"id\": \"4f6632f5-449c-4686-80df-57625f59bab3\",\n \"version\": 1,\n \"date\": \"2017-09-19\",\n \"description\": \"Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.\",\n \"narrative\": \"It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\\\\\\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://capec.mitre.org/data/definitions/66.html\",\n \"https://www.incapsula.com/web-application-security/sql-injection.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"SQL Injection\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1190\"\n ],\n \"mitre_attack_technique\": [\n \"Exploit Public-Facing Application\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Axiom\",\n \"Soft Cell\",\n \"APT39\",\n \"APT41\",\n \"BlackTech\",\n \"Rocke\",\n \"Night Dragon\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"SQL Injection with Long URLs\",\n \"id\": \"e0aad4cf-0790-423b-8328-7564d0d938f9\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for long URLs that have several SQL commands visible within them.\",\n \"how_to_implement\": \"To successfully implement this search, you need to be monitoring network communications to your web servers or ingesting your HTTP logs and populating the Web data model. You must also identify your web servers in the Enterprise Security assets table.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(\\\"Web\\\")` | eval num_sql_cmds=mvcount(split(url, \\\"alter%20table\\\")) + mvcount(split(url, \\\"between\\\")) + mvcount(split(url, \\\"create%20table\\\")) + mvcount(split(url, \\\"create%20database\\\")) + mvcount(split(url, \\\"create%20index\\\")) + mvcount(split(url, \\\"create%20view\\\")) + mvcount(split(url, \\\"delete\\\")) + mvcount(split(url, \\\"drop%20database\\\")) + mvcount(split(url, \\\"drop%20index\\\")) + mvcount(split(url, \\\"drop%20table\\\")) + mvcount(split(url, \\\"exists\\\")) + mvcount(split(url, \\\"exec\\\")) + mvcount(split(url, \\\"group%20by\\\")) + mvcount(split(url, \\\"having\\\")) + mvcount(split(url, \\\"insert%20into\\\")) + mvcount(split(url, \\\"inner%20join\\\")) + mvcount(split(url, \\\"left%20join\\\")) + mvcount(split(url, \\\"right%20join\\\")) + mvcount(split(url, \\\"full%20join\\\")) + mvcount(split(url, \\\"select\\\")) + mvcount(split(url, \\\"distinct\\\")) + mvcount(split(url, \\\"select%20top\\\")) + mvcount(split(url, \\\"union\\\")) + mvcount(split(url, \\\"xp_cmdshell\\\")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`\",\n \"known_false_positives\": \"It's possible that legitimate traffic will have long URLs or long user agent strings and that common SQL commands may be found within the URL. Please investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"SQL Injection\"\n ],\n \"mitre_attack_id\": [\n \"T1190\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 4\",\n \"CIS 13\",\n \"CIS 18\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"ID.RA\",\n \"PR.PT\",\n \"PR.IP\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Database Server\",\n \"mitre_attack_technique\": [\n \"Exploit Public-Facing Application\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Rocke\",\n \"APT39\",\n \"BlackTech\",\n \"APT41\",\n \"Soft Cell\",\n \"Night Dragon\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"sql_injection_with_long_urls_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious AWS EC2 Activities\",\n \"id\": \"2e8948a5-5239-406b-b56b-6c50f1268af3\",\n \"version\": 1,\n \"date\": \"2018-02-09\",\n \"description\": \"Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.\",\n \"narrative\": \"AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious AWS EC2 Activities\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1535\",\n \"T1078.004\"\n ],\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\",\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Abnormally High AWS Instances Launched by User\",\n \"id\": \"2a9b80d3-6340-4345-b5ad-290bf5d0dac4\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \\\"-10m@m\\\") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter`\",\n \"known_false_positives\": \"Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"risk_score\": 40,\n \"risk_object_type\": \"user\",\n \"risk_object\": \"userName\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"abnormally_high_aws_instances_launched_by_user_filter\"\n }\n ]\n },\n {\n \"name\": \"Abnormally High AWS Instances Launched by User - MLTK\",\n \"id\": \"dec41ad5-d579-42cb-b4c6-f5dbb778bbe5\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename \\\"IsOutlier(instances_launched)\\\" as isOutlier | where isOutlier=1\",\n \"known_false_positives\": \"Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Excessive AWS Instances Launched by User - MLTK\",\n \"id\": \"fa5634df-fb05-4b4b-aba0-6115138bb1ba\",\n \"version\": 1,\n \"date\": \"2019-11-14\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model for how many RunInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of RunInstances performed by a user in a small time window.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\\\\\\nIn addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\\\\\\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success `ec2_excessive_runinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | fit DensityFunction instances_launched threshold=0.0005 into ec2_excessive_runinstances_v1\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"Abnormally High AWS Instances Launched by User - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"abnormally_high_aws_instances_launched_by_user___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"Abnormally High AWS Instances Terminated by User\",\n \"id\": \"ada0f478-84a8-4641-s3f3-d82362dffd75\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), \\\"-10m@m\\\")| eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter`\",\n \"known_false_positives\": \"Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"abnormally_high_aws_instances_terminated_by_user_filter\"\n }\n ]\n },\n {\n \"name\": \"Abnormally High AWS Instances Terminated by User - MLTK\",\n \"id\": \"1c02b86a-cd85-473e-a50b-014a9ac8fe3e\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events where a user successfully terminates an abnormally high number of instances.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename \\\"IsOutlier(instances_terminated)\\\" as isOutlier | where isOutlier=1\",\n \"known_false_positives\": \"Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Excessive AWS Instances Terminated by User - MLTK\",\n \"id\": \"b28ed6de-e4ba-40f7-ae0a-93a088c774ab\",\n \"version\": 1,\n \"date\": \"2019-11-14\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model for how many TerminateInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of TerminateInstances performed by a user in a small time window.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\\\\\\nIn addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\\\\\\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=TerminateInstances errorCode=success `ec2_excessive_terminateinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | fit DensityFunction instances_terminated threshold=0.0005 into ec2_excessive_terminateinstances_v1\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"Abnormally High AWS Instances Terminated by User - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"abnormally_high_aws_instances_terminated_by_user___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Started In Previously Unseen Region\",\n \"id\": \"ada0f478-84a8-4641-a3f3-d82362d6fd75\",\n \"version\": 1,\n \"date\": \"2018-02-23\",\n \"description\": \"This search looks for CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen AWS Regions\\\" support search only once to create of baseline of previously seen regions.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),\\\"-1d@d\\\"), \\\"Instance Started in a New Region\\\",\\\"Previously Seen Region\\\") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus=\\\"Instance Started in a New Region\\\" | `ec2_instance_started_in_previously_unseen_region_filter`\",\n \"known_false_positives\": \"It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen AWS Regions\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd63\",\n \"version\": 1,\n \"date\": \"2018-01-08\",\n \"description\": \"This search looks for CloudTrail events where an AWS instance is started and creates a baseline of most recent time (latest) and the first time (earliest) we've seen this region in our dataset grouped by the value awsRegion for the last 30 days\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"EC2 Instance Started In Previously Unseen Region\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_started_in_previously_unseen_region_filter\"\n }\n ]\n },\n {\n \"name\": \"EC2 Instance Started With Previously Unseen User\",\n \"id\": \"22773e84-bac0-4595-b086-20d3f735b4f1\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for EC2 instances being created by users who have not created them before.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen EC2 Launches By User\\\" support search once to create a history of previously seen ARNs.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter`\",\n \"known_false_positives\": \"It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen EC2 Launches By User\",\n \"id\": \"6c767ac0-0906-4355-9a83-927f5ee7bdad\",\n \"version\": 1,\n \"date\": \"2018-03-15\",\n \"description\": \"This search builds a table of previously seen ARNs that have launched a EC2 instance.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | rename userIdentity.arn as arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"EC2 Instance Started With Previously Unseen User\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_started_with_previously_unseen_user_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious AWS Login Activities\",\n \"id\": \"2e8948a5-5239-406b-b56b-6c59f1268af3\",\n \"version\": 1,\n \"date\": \"2019-05-01\",\n \"description\": \"Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. \",\n \"narrative\": \"It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious AWS Login Activities\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1535\",\n \"T1078.004\"\n ],\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\",\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect AWS Console Login by User from New City\",\n \"id\": \"121b0b11-f8ac-4ed6-a132-3800ca4fc07a\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user City | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), \\\"@d\\\"), \\\"New City\\\",\\\"Previously Seen City\\\") | eval UserData=if(earliestseen >= relative_time(now(), \\\"@d\\\") OR isnull(earliestseen), \\\"New User\\\",\\\"Old User\\\") | where userStatus=\\\"New City\\\" AND UserData=\\\"Old User\\\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `security_content_ctime(earliestseen)` | table user City userStatus firstTime lastTime earliestseen | `detect_aws_console_login_by_user_from_new_city_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\",\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_console_login_by_user_from_new_city_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect AWS Console Login by User from New Country\",\n \"id\": \"67bd3def-c41c-4bf6-837b-ae196b4257c6\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user Country | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), \\\"@d\\\"), \\\"New Country\\\",\\\"Previously Seen Country\\\") | eval UserData=if(earliestseen >= relative_time(now(), \\\"@d\\\") OR isnull(earliestseen), \\\"New User\\\",\\\"Old User\\\") | where userStatus=\\\"New Country\\\" AND UserData=\\\"Old User\\\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`security_content_ctime(earliestseen)` | table user Country userStatus firstTime lastTime earliestseen | `detect_aws_console_login_by_user_from_new_country_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\",\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_console_login_by_user_from_new_country_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect AWS Console Login by User from New Region\",\n \"id\": \"9f31aa8e-e37c-46bc-bce1-8b3be646d026\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user Region | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), \\\"@d\\\"), \\\"New Region\\\",\\\"Previously Seen Region\\\") | eval UserData=if(earliestseen >= relative_time(now(), \\\"@d\\\") OR isnull(earliestseen), \\\"New User\\\",\\\"Old User\\\") | where userStatus=\\\"New Region\\\" AND UserData=\\\"Old User\\\" | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `security_content_ctime(earliestseen)` | table user Region userStatus firstTime lastTime earliestseen | `detect_aws_console_login_by_user_from_new_region_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\",\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_console_login_by_user_from_new_region_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect new user AWS Console Login\",\n \"id\": \"ada0f478-84a8-4641-a3f3-d82362dffd75\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), \\\"First Time Logging into AWS Console\\\",\\\"Previously Seen User\\\") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| where userStatus =\\\"First Time Logging into AWS Console\\\" | `detect_new_user_aws_console_login_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_user_aws_console_login_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious AWS S3 Activities\",\n \"id\": \"2e8948a5-5239-406b-b56b-6c50w3168af3\",\n \"version\": 2,\n \"date\": \"2018-07-24\",\n \"description\": \"Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.\",\n \"narrative\": \"As cloud computing has exploded, so has the number of creative attacks on virtual environments. And as the number-two cloud-service provider, Amazon Web Services (AWS) has certainly had its share.\\\\\\nAmazon's \\\"shared responsibility\\\" model dictates that the company has responsibility for the environment outside of the VM and the customer is responsible for the security inside of the S3 container. As such, it's important to stay vigilant for activities that may belie suspicious behavior inside of your environment.\\\\\\nAmong things to look out for are S3 access from unfamiliar locations and by unfamiliar users. Some of the searches in this Analytic Story help you detect suspicious behavior and others help you investigate more deeply, when the situation warrants. \",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf\",\n \"https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious AWS S3 Activities\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect New Open S3 buckets\",\n \"id\": \"2a9b80d3-6340-4345-b5ad-290bf3d0dac4\",\n \"version\": 1,\n \"date\": \"2018-07-25\",\n \"description\": \"This search looks for CloudTrail events where a user has created an open/public S3 bucket.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), and then configure your CloudTrail inputs. The threshold value should be tuned to your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` AllUsers eventName=PutBucketAcl | spath output=userIdentityArn path=userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | spath output=aclControlList path=requestParameters.AccessControlPolicy.AccessControlList | spath input=aclControlList output=grantee path=Grant{} | mvexpand grantee | spath input=grantee | search Grantee.URI=*AllUsers | rename userIdentityArn as user| table _time, src,awsRegion Permission, Grantee.URI, bucketName, user | `detect_new_open_s3_buckets_filter`\",\n \"known_false_positives\": \"While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the \\\"All Users\\\" group.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"S3 Bucket\",\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_open_s3_buckets_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect S3 access from a new IP\",\n \"id\": \"2a9b80d3-6340-4345-b5ad-291bq3d0daq4\",\n \"version\": 1,\n \"date\": \"2018-06-28\",\n \"description\": \"This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the \\\"Previously Seen S3 Bucket Access by Remote IP\\\" support search once to create a history of previously seen remote IPs and bucket names.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip.csv | eval newIP=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | table bucket_name remote_ip]| iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`\",\n \"known_false_positives\": \"S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"cis20\": [\n \"CIS 13\",\n \"CIS 14\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"S3 Bucket\",\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen S3 bucket access by remote IP\",\n \"id\": \"fc0edc15-fq2c-48b0-9f6f-63qa1281fd03\",\n \"version\": 1,\n \"date\": \"2018-06-28\",\n \"description\": \"This search looks for successful access to S3 buckets from remote IP addresses, then creates a baseline of the earliest and latest times we have encountered this remote IP within the last 30 days. In this support search, we are only looking for S3 access events where the HTTP response code from AWS is \\\"200\\\"\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access-logs inputs. You must validate the remote IP and bucket name entries in `previously_seen_S3_access_from_remote_ip.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`aws_s3_accesslogs` http_status=200 | stats earliest(_time) as earliest latest(_time) as latest by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"detections\": [\n \"Detect S3 access from a new IP\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=aws:s3:accesslogs\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_s3_accesslogs\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_s3_access_from_a_new_ip_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Spike in S3 Bucket deletion\",\n \"id\": \"ad12w478-84a8-4641-a3w1-e32372q4bd53\",\n \"version\": 1,\n \"date\": \"2018-11-27\",\n \"description\": \"This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \\\"Baseline of S3 Bucket deletion activity by ARN\\\" support search once to create a baseline of previously seen S3 bucket-deletion activity.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`\",\n \"known_false_positives\": \"Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"S3 Bucket\",\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of S3 Bucket deletion activity by ARN\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63eq3783fd63\",\n \"version\": 1,\n \"date\": \"2018-07-17\",\n \"description\": \"This search establishes, on a per-hour basis, the average and standard deviation for the number of API calls related to deleting an S3 bucket by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"detections\": [\n \"Detect Spike in S3 Bucket deletion\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_s3_bucket_deletion_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious AWS Traffic\",\n \"id\": \"2e8948a5-5239-406b-b56b-6c50f2168af3\",\n \"version\": 1,\n \"date\": \"2018-05-07\",\n \"description\": \"Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).\",\n \"narrative\": \"A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network. \\\\\\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\\\\\\n Attackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\\\\\\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious AWS Traffic\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Detect Spike in blocked Outbound Traffic from your AWS\",\n \"id\": \"ada0f278-84a8-46w1-a3f1-w32372d4bd53\",\n \"version\": 1,\n \"date\": \"2018-05-07\",\n \"description\": \"This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of \\\"spike.\\\" The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the \\\"Baseline of Blocked Outbound Connection\\\" support search once to create a history of previously seen blocked outbound connections.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as \\\"Blocked Destination IPs\\\", values(interface_id) as \\\"resourceId\\\" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`\",\n \"known_false_positives\": \"The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\",\n \"Suspicious AWS Traffic\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\",\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 11\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of blocked outbound traffic from AWS\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63da3782fd63\",\n \"version\": 1,\n \"date\": \"2018-05-07\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of outbound connections blocked in your VPC flow logs by each source IP address (IP address of your EC2 instances). Also recorded is the number of data points for each source IP. This table outputs to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your `VPC flow logs.`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | bucket _time span=1h | stats count as numberOfBlockedConnections by _time, src_ip | stats count(numberOfBlockedConnections) as numDataPoints, latest(numberOfBlockedConnections) as latestCount, avg(numberOfBlockedConnections) as avgBlockedConnections, stdev(numberOfBlockedConnections) as stdevBlockedConnections by src_ip | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\",\n \"Command and Control\",\n \"Suspicious AWS Traffic\"\n ],\n \"detections\": [\n \"Detect Spike in blocked Outbound Traffic from your AWS\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"sourcetype=aws:cloudwatchlogs:vpcflow\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudwatchlogs_vpcflow\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_spike_in_blocked_outbound_traffic_from_your_aws_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious Cloud Authentication Activities\",\n \"id\": \"6380ebbb-55c5-4fce-b754-01fd565fb73c\",\n \"version\": 1,\n \"date\": \"2020-06-04\",\n \"description\": \"Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. \",\n \"narrative\": \"It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\\\\\\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/\",\n \"https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious Cloud Authentication Activities\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect AWS Console Login by User from New City\",\n \"id\": \"121b0b11-f8ac-4ed6-a132-3800ca4fc07a\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user City | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), \\\"@d\\\"), \\\"New City\\\",\\\"Previously Seen City\\\") | eval UserData=if(earliestseen >= relative_time(now(), \\\"@d\\\") OR isnull(earliestseen), \\\"New User\\\",\\\"Old User\\\") | where userStatus=\\\"New City\\\" AND UserData=\\\"Old User\\\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `security_content_ctime(earliestseen)` | table user City userStatus firstTime lastTime earliestseen | `detect_aws_console_login_by_user_from_new_city_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\",\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_console_login_by_user_from_new_city_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect AWS Console Login by User from New Country\",\n \"id\": \"67bd3def-c41c-4bf6-837b-ae196b4257c6\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user Country | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), \\\"@d\\\"), \\\"New Country\\\",\\\"Previously Seen Country\\\") | eval UserData=if(earliestseen >= relative_time(now(), \\\"@d\\\") OR isnull(earliestseen), \\\"New User\\\",\\\"Old User\\\") | where userStatus=\\\"New Country\\\" AND UserData=\\\"Old User\\\" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`security_content_ctime(earliestseen)` | table user Country userStatus firstTime lastTime earliestseen | `detect_aws_console_login_by_user_from_new_country_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\",\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_console_login_by_user_from_new_country_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect AWS Console Login by User from New Region\",\n \"id\": \"9f31aa8e-e37c-46bc-bce1-8b3be646d026\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user Region | join user type=outer [| inputlookup previously_seen_users_console_logins.csv | stats min(firstTime) AS earliestseen by user | fields earliestseen user] | eval userStatus=if(firstTime >= relative_time(now(), \\\"@d\\\"), \\\"New Region\\\",\\\"Previously Seen Region\\\") | eval UserData=if(earliestseen >= relative_time(now(), \\\"@d\\\") OR isnull(earliestseen), \\\"New User\\\",\\\"Old User\\\") | where userStatus=\\\"New Region\\\" AND UserData=\\\"Old User\\\" | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `security_content_ctime(earliestseen)` | table user Region userStatus firstTime lastTime earliestseen | `detect_aws_console_login_by_user_from_new_region_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\",\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1535\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Unused/Unsupported Cloud Regions\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_aws_console_login_by_user_from_new_region_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect new user AWS Console Login - DM\",\n \"id\": \"bc91a8cd-35e7-4bb2-6140-e756cc46fd71\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the \\\"Previously seen users in CloudTrail\\\" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run \\\"Update previously seen users in CloudTrail\\\" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.\",\n \"type\": \"ESCU\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >=relative_time(now(), '-70m@m'), 'First Time Logging into AWS Console','Previously Seen User')| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_new_user_aws_console_login___dm_filter`\",\n \"known_false_positives\": \"When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"DE.AE\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_user_aws_console_login___dm_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious Command-Line Executions\",\n \"id\": \"f4368ddf-d59f-4192-84f6-778ac5a3ffc7\",\n \"version\": 2,\n \"date\": \"2020-02-03\",\n \"description\": \"Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.\",\n \"narrative\": \"The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/wiki/Technique/T1059\",\n \"https://www.microsoft.com/en-us/wdsi/threats/macro-malware\",\n \"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious Command-Line Executions\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1036\",\n \"T1059.003\",\n \"T1059.001\"\n ],\n \"mitre_attack_technique\": [\n \"Windows Command Shell\",\n \"PowerShell\",\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Honeybee\",\n \"Gamaredon Group\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"TA459\",\n \"APT18\",\n \"FIN10\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"TEMP.Veles\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Rancor\",\n \"CopyKittens\",\n \"FIN8\",\n \"APT38\",\n \"Gallmaker\",\n \"APT29\",\n \"Sowbug\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"APT33\",\n \"Poseidon Group\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"admin@338\",\n \"Inception\",\n \"Windshift\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Thrip\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"WIRTE\",\n \"Leviathan\",\n \"OilRig\",\n \"Threat Group-1314\",\n \"FIN6\",\n \"TA505\",\n \"Ke3chang\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect Prohibited Applications Spawning cmd exe\",\n \"id\": \"dcfd6b40-42f9-469d-a433-2e53f7486664\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts and populates the Endpoint data model with the resultant dataset. This search includes a lookup file, `prohibited_apps_launching_cmd.csv`, that contains a list of processes that should not be spawning cmd.exe. You can modify this lookup to better suit your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.parent_process_name Processes.process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] | `detect_prohibited_applications_spawning_cmd_exe_filter`\",\n \"known_false_positives\": \"There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\",\n \"Suspicious Zoom Child Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\\\"*\\\" . parent_process_name | table parent_process_name\",\n \"description\": \"This macro outputs a list of process that should not be the parent process of cmd.exe\",\n \"name\": \"prohibited_apps_launching_cmd\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_prohibited_applications_spawning_cmd_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Use of cmd exe to Launch Script Interpreters\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dbb162039e\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=\\\"cmd.exe\\\" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`\",\n \"known_false_positives\": \"Some legitimate applications may exhibit this behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Suspicious Command-Line Executions\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_use_of_cmd_exe_to_launch_script_interpreters_filter\"\n }\n ]\n },\n {\n \"name\": \"First time seen command line argument\",\n \"id\": \"9be56c82-b1cc-4318-87eb-q138afaaqa39\",\n \"version\": 5,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. Please make sure you run the support search \\\"Previously seen command line arguments,\\\"—which creates a lookup file called `previously_seen_cmd_line_arguments.csv`—a historical baseline of all command-line arguments. You must also validate this list. For the search to do accurate calculation, ensure the search scheduling is the same value as the `relative_time` evaluation function.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = \\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` \",\n \"known_false_positives\": \"Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Suspicious Command-Line Executions\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Hidden Cobra Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1059.001\",\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"PowerShell\",\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"DarkVishnya\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"Inception\",\n \"Silence\",\n \"APT41\",\n \"Kimsuky\",\n \"Soft Cell\",\n \"TA505\",\n \"WIRTE\",\n \"TEMP.Veles\",\n \"APT33\",\n \"Gallmaker\",\n \"Turla\",\n \"APT19\",\n \"DarkHydrus\",\n \"APT28\",\n \"Thrip\",\n \"Gorgon Group\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"Leviathan\",\n \"TA459\",\n \"FIN8\",\n \"MuddyWater\",\n \"Magic Hound\",\n \"OilRig\",\n \"BRONZE BUTLER\",\n \"CopyKittens\",\n \"APT32\",\n \"FIN7\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Patchwork\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"Poseidon Group\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\",\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_command_line_argument_filter\"\n }\n ]\n },\n {\n \"name\": \"System Processes Run From Unexpected Locations\",\n \"id\": \"a34aae96-ccf8-4aef-952c-3ea21444444d\",\n \"version\": 5,\n \"date\": \"2020-02-04\",\n \"description\": \"This search looks for system processes that normally run out of C:\\\\Windows\\\\System32\\\\ or C:\\\\Windows\\\\SysWOW64 that are not run from that location. This can indicate a malicious process that is trying to hide as a legitimate process.\",\n \"how_to_implement\": \"To successfully implement this search you need to ingest details about process execution from your hosts. Specifically, this search requires the process name and the full path to the process executable.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !=\\\"C:\\\\\\\\Windows\\\\\\\\System32*\\\" Processes.process_path !=\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64*\\\" by Processes.user Processes.dest Processes.process_name Processes.process_id Processes.process_path Processes.parent_process_name Processes.process_hash| `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file` | `system_processes_run_from_unexpected_locations_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true\",\n \"description\": \"This macro limits the output to process names that are in the Windows System directory\",\n \"name\": \"is_windows_system_file\"\n },\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"system_processes_run_from_unexpected_locations_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Command Line\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6a4264e7f\",\n \"version\": 4,\n \"date\": \"2020-03-16\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the process field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` | eval threshold = 10 | where maxlen > ((threshold*stdevperhost) + avgperhost)\",\n \"known_false_positives\": \"Some legitimate applications start with long command lines.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_command_line_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Command Line - MLTK\",\n \"id\": \"57edaefa-a73b-45e5-bbae-f39c1473f941\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that monitors command lines and populates the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. In addition, MLTK version >= 4.2 must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of Command Line Length - MLTK\\\" must be executed before this detection search, as it builds an ML model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \\\"IsOutlier(processlen)\\\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`\",\n \"known_false_positives\": \"Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Command Line Length - MLTK\",\n \"id\": \"d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies outliers in the length of the command line.\",\n \"how_to_implement\": \"You must be ingesting endpoint data and populating the Endpoint data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search user!=unknown | `security_content_ctime(start_time)`| `security_content_ctime(end_time)`| eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\",\n \"Unusual Processes\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Unusually Long Command Line - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_command_line___mltk_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious DNS Traffic\",\n \"id\": \"3c3835c0-255d-4f9e-ab84-e29ec9ec9b56\",\n \"version\": 1,\n \"date\": \"2017-09-18\",\n \"description\": \"Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.\",\n \"narrative\": \"Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness). However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/\",\n \"http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680\",\n \"https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious DNS Traffic\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\",\n \"T1071.004\"\n ],\n \"mitre_attack_technique\": [\n \"DNS\",\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\",\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"Tropic Trooper\",\n \"APT18\",\n \"Thrip\",\n \"APT39\",\n \"Ke3chang\",\n \"FIN7\",\n \"Lazarus Group\",\n \"APT41\",\n \"OilRig\",\n \"FIN8\",\n \"Cobalt Group\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Clients Connecting to Multiple DNS Servers\",\n \"id\": \"74ec6f18-604b-4202-a567-86b2066be3ce\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.\",\n \"how_to_implement\": \"This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\\\\\\nThis search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** Distinct DNS Connections, **Field:** dest_count\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name(\\\"Network_Resolution\\\")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter` \",\n \"known_false_positives\": \"It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\",\n \"Command and Control\",\n \"Suspicious DNS Traffic\",\n \"Host Redirection\"\n ],\n \"mitre_attack_id\": [\n \"T1048.003\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Exfiltration\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"APT33\",\n \"Thrip\",\n \"FIN8\",\n \"OilRig\",\n \"Lazarus Group\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"clients_connecting_to_multiple_dns_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect hosts connecting to dynamic domain providers\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6v5464g9f\",\n \"version\": 2,\n \"date\": \"2020-01-16\",\n \"description\": \"Malicious actors often abuse legitimate Dynamic DNS services to host malicious payloads or interactive command and control nodes. Attackers will automate domain resolution changes by routing dynamic domains to countless IP addresses to circumvent firewall blocks, blacklists as well as frustrate a network defenders analytic and investigative processes. This search will look for DNS queries made from within your infrastructure to suspicious dynamic domains.\",\n \"how_to_implement\": \"First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\\\\\\nThis search produces fields (query, answer, isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable event. To see the additional metadata, add the following fields, if not already present, to Incident Review. Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Answer, **Field:** answer\\\\\\n1. \\\\\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(DNS.answer) as answer min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name(\\\"DNS\\\")` | `security_content_ctime(firstTime)` | `dynamic_dns_providers` | `detect_hosts_connecting_to_dynamic_domain_providers_filter`\",\n \"known_false_positives\": \"Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Prohibited Traffic Allowed or Protocol Mismatch\",\n \"DNS Hijacking\",\n \"Suspicious DNS Traffic\",\n \"Dynamic DNS\",\n \"Command and Control\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.\",\n \"name\": \"dynamic_dns_providers\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_hosts_connecting_to_dynamic_domain_providers_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Long DNS TXT Record Response\",\n \"id\": \"05437c07-62f5-452e-afdc-04dd44815bb9\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic.\",\n \"how_to_implement\": \"To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name(\\\"DNS\\\")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as \\\"Source IP\\\", dest as \\\"Destination IP\\\", answer as \\\"DNS Answer\\\" anslen as \\\"Answer Length\\\" record_type as \\\"DNS Record Type\\\" firstTime as \\\"First Time\\\" lastTime as \\\"Last Time\\\" count as Count | table \\\"Source IP\\\" \\\"Destination IP\\\" \\\"DNS Answer\\\" \\\"DNS Record Type\\\" \\\"Answer Length\\\" Count \\\"First Time\\\" \\\"Last Time\\\" | `detect_long_dns_txt_record_response_filter`\",\n \"known_false_positives\": \"It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\",\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_long_dns_txt_record_response_filter\"\n }\n ]\n },\n {\n \"name\": \"Detection of DNS Tunnels\",\n \"id\": \"104658f4-afdc-499f-9719-17a43f9826f4\",\n \"version\": 2,\n \"date\": \"2017-09-18\",\n \"description\": \"This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic.\",\n \"how_to_implement\": \"To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` dc(\\\"DNS.query\\\") as count from datamodel=Network_Resolution where nodename=DNS \\\"DNS.message_type\\\"=\\\"QUERY\\\" NOT (`cim_corporate_web_domain_search(\\\"DNS.query\\\")`) NOT \\\"DNS.query\\\"=\\\"*.in-addr.arpa\\\" NOT (\\\"DNS.src_category\\\"=\\\"svc_infra_dns\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_webproxy\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_email*\\\" ) by \\\"DNS.src\\\",\\\"DNS.query\\\" | rename \\\"DNS.src\\\" as src \\\"DNS.query\\\" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc(\\\"DNS.answer\\\") as count from datamodel=Network_Resolution where nodename=DNS \\\"DNS.message_type\\\"=\\\"QUERY\\\" NOT (`cim_corporate_web_domain_search(\\\"DNS.query\\\")`) NOT \\\"DNS.query\\\"=\\\"*.in-addr.arpa\\\" NOT (\\\"DNS.src_category\\\"=\\\"svc_infra_dns\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_webproxy\\\" OR \\\"DNS.src_category\\\"=\\\"svc_infra_email*\\\" ) by \\\"DNS.src\\\",\\\"DNS.answer\\\" | rename \\\"DNS.src\\\" as src \\\"DNS.answer\\\" as message | eval message=if(message==\\\"unknown\\\",\\\"\\\", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`\",\n \"known_false_positives\": \"It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"Data Protection\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detection_of_dns_tunnels_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Length Outliers - MLTK\",\n \"id\": \"85fbcfe8-9718-4911-adf6-7000d077a3a9\",\n \"version\": 2,\n \"date\": \"2020-01-22\",\n \"description\": \"This search allows you to identify DNS requests that are unusually large for the record type being requested in your environment.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of DNS Query Length - MLTK\\\" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\\\\\\nThis search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\\\\\\\n1. **Label:** DNS Query, **Field:** query\\\\\\n1. \\\\\\n1. **Label:** DNS Query Length, **Field:** query_length\\\\\\n1. \\\\\\n1. **Label:** Number of events, **Field:** count\\\\\\nDetailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(DNS)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval query_length = len(query) | apply dns_query_pdfmodel threshold=0.01 | rename \\\"IsOutlier(query_length)\\\" as isOutlier | search isOutlier > 0 | sort -query_length | table start_time end_time query record_type count src dest query_length | `dns_query_length_outliers___mltk_filter` \",\n \"known_false_positives\": \"If you are seeing more results than desired, you may consider reducing the value for threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of DNS Query Length - MLTK\",\n \"id\": \"c914844c-0ff5-4efc-8d44-c063443129ba\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which uses it to identify outliers in the length of the DNS query.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(\\\"DNS\\\")` | eval query_length = len(query) | fit DensityFunction query_length by record_type into dns_query_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Command and Control\",\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\"\n ],\n \"detections\": [\n \"DNS Query Length Outliers - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_length_outliers___mltk_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Length With High Standard Deviation\",\n \"id\": \"1a67f15a-f4ff-4170-84e9-08cf6f75d6f5\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search allows you to identify DNS requests and compute the standard deviation on the length of the names being resolved, then filter on two times the standard deviation to show you those queries that are unusually large for your environment.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | `drop_dm_object_name(\\\"DNS\\\")` | eval query_length = len(query) | table query query_length record_type count | eventstats stdev(query_length) AS stdev avg(query_length) AS avg p50(query_length) AS p50| where query_length>(avg+stdev*2) | eval z_score=(query_length-avg)/stdev | `dns_query_length_with_high_standard_deviation_filter` \",\n \"known_false_positives\": \"It's possible there can be long domain names that are legitimate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_length_with_high_standard_deviation_filter\"\n }\n ]\n },\n {\n \"name\": \"DNS Query Requests Resolved by Unauthorized DNS Servers\",\n \"id\": \"1a67f15a-f4ff-4170-84e9-08cf6f75d6f6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.\",\n \"how_to_implement\": \"To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name(\\\"DNS\\\")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter` \",\n \"known_false_positives\": \"Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\",\n \"Command and Control\",\n \"Suspicious DNS Traffic\",\n \"Host Redirection\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 1\",\n \"CIS 3\",\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.IP\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"dns_query_requests_resolved_by_unauthorized_dns_servers_filter\"\n }\n ]\n },\n {\n \"name\": \"Excessive DNS Failures\",\n \"id\": \"104658f4-afdc-499e-9719-17243f9826f1\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search identifies DNS query failures by counting the number of DNS responses that do not indicate success, and trigger on more than 50 occurrences.\",\n \"how_to_implement\": \"To successfully implement this search you must ensure that DNS data is populating the Network_Resolution data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(\\\"DNS.query\\\") as queries from datamodel=Network_Resolution where nodename=DNS \\\"DNS.reply_code\\\"!=\\\"No Error\\\" \\\"DNS.reply_code\\\"!=\\\"NoError\\\" DNS.reply_code!=\\\"unknown\\\" NOT \\\"DNS.query\\\"=\\\"*.arpa\\\" \\\"DNS.query\\\"=\\\"*.*\\\" by \\\"DNS.src\\\",\\\"DNS.query\\\"| `drop_dm_object_name(\\\"DNS\\\")`| lookup cim_corporate_web_domain_lookup domain as query OUTPUT domain| where isnull(domain)| lookup update=true alexa_lookup_by_str domain as query OUTPUT rank| where isnull(rank)| stats sum(count) as count mode(queries) as queries by src| `get_asset(src)`| where count>50 | `excessive_dns_failures_filter`\",\n \"known_false_positives\": \"It is possible legitimate traffic can trigger this rule. Please investigate as appropriate. The threshold for generating an event can also be customized to better suit your environment.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious DNS Traffic\",\n \"Command and Control\"\n ],\n \"mitre_attack_id\": [\n \"T1071.004\"\n ],\n \"kill_chain_phases\": [\n \"Command and Control\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 9\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"DNS\"\n ],\n \"mitre_attack_tactics\": [\n \"Command And Control\"\n ],\n \"mitre_attack_groups\": [\n \"APT39\",\n \"Tropic Trooper\",\n \"OilRig\",\n \"Ke3chang\",\n \"Cobalt Group\",\n \"APT18\",\n \"APT41\",\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"excessive_dns_failures_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious Emails\",\n \"id\": \"2b1800dd-92f9-47ec-a981-fdf1351e5d55\",\n \"version\": 1,\n \"date\": \"2020-01-27\",\n \"description\": \"Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.\",\n \"narrative\": \"It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\\\\\\nOnce a phishing message has been detected, the next steps are to answer the following questions: \\\\\\n1. Which users have received this or a similar message in the past?\\\\\\n1. When did the targeted campaign begin?\\\\\\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious Emails\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1566\",\n \"T1566.001\"\n ],\n \"mitre_attack_technique\": [\n \"Phishing\",\n \"Spearphishing Attachment\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"TA505\",\n \"Dragonfly 2.0\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Gamaredon Group\",\n \"APT41\",\n \"Naikon\",\n \"BRONZE BUTLER\",\n \"Frankenstein\",\n \"TA459\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"APT28\",\n \"Turla\",\n \"Rancor\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"Sandworm Team\",\n \"Gallmaker\",\n \"APT29\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"APT-C-36\",\n \"Machete\",\n \"APT39\",\n \"admin@338\",\n \"Magic Hound\",\n \"Gorgon Group\",\n \"Inception\",\n \"PLATINUM\",\n \"Windshift\",\n \"APT12\",\n \"The White Company\",\n \"Elderwood\",\n \"Kimsuky\",\n \"Darkhotel\",\n \"Mofang\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN4\",\n \"BlackTech\",\n \"no\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Email Attachments With Lots Of Spaces\",\n \"id\": \"56e877a6-1455-4479-ada6-0550dc1e22f8\",\n \"version\": 2,\n \"date\": \"2017-09-19\",\n \"description\": \"Attackers often use spaces as a means to obfuscate an attachment's file extension. This search looks for messages with email attachments that have many spaces within the file names.\",\n \"how_to_implement\": \"You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. \\\\\\n **Splunk Phantom Playbook Integration**\\\\\\nIf Splunk Phantom is also configured in your environment, a playbook called \\\"Suspicious Email Attachment Investigate and Delete\\\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\\\"*\\\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Email\\\")` | eval space_ratio = (mvcount(split(file_name,\\\" \\\"))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address \\\"(?.*)@\\\" | `email_attachments_with_lots_of_spaces_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Suspicious Emails\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"email_attachments_with_lots_of_spaces_filter\"\n }\n ]\n },\n {\n \"name\": \"Monitor Email For Brand Abuse\",\n \"id\": \"b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8\",\n \"version\": 2,\n \"date\": \"2018-01-05\",\n \"description\": \"This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse.\",\n \"how_to_implement\": \"You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search \\\"ESCU - DNSTwist Domain Names\\\", which creates the permutations of the domain that will be checked for.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name(\\\"All_Email\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, \\\"@\\\") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`\",\n \"known_false_positives\": \"None at this time\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"DNSTwist Domain Names\",\n \"id\": \"19f7d2ec-6028-4d01-bcdb-bda9a034c17f\",\n \"version\": 2,\n \"date\": \"2018-10-08\",\n \"description\": \"This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches.\",\n \"how_to_implement\": \"To successfully implement this search you need to update the file called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv` and `cim_corporate_web_domains.csv` from **Splunk\\\\_SA\\\\_CIM**.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse=\\\"true\\\" | table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"detections\": [\n \"Monitor Email For Brand Abuse\",\n \"Monitor DNS For Brand Abuse\",\n \"Monitor Web Traffic For Brand Abuse\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"monitor_email_for_brand_abuse_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Email - UBA Anomaly\",\n \"id\": \"56e877a6-1455-4479-ad16-0550dc1e33f8\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).\",\n \"how_to_implement\": \"You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called \\\"SuspiciousEmailDetectionModel.\\\" Ensure that this model is enabled on your UBA instance.\",\n \"type\": \"ESCU\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = \\\"SuspiciousEmailDetectionModel\\\" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter`\",\n \"known_false_positives\": \"This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and whitelist the URL if you determine that it is a legitimate sender.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Emails\"\n ],\n \"mitre_attack_id\": [\n \"T1566\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 7\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Phishing\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_email___uba_anomaly_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Email Attachment Extensions\",\n \"id\": \"473bd65f-06ca-4dfe-a2b8-ba04ab4a0084\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for emails that have attachments with suspicious file extensions.\",\n \"how_to_implement\": \"You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \\\\\\n **Splunk Phantom Playbook Integration**\\\\\\nIf Splunk Phantom is also configured in your environment, a Playbook called \\\"Suspicious Email Attachment Investigate and Delete\\\" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the \\\"Phantom Instance\\\" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.\",\n \"type\": \"ESCU\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name=\\\"*\\\" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Email\\\")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter` \",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Suspicious Emails\"\n ],\n \"mitre_attack_id\": [\n \"T1566.001\"\n ],\n \"kill_chain_phases\": [\n \"Delivery\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 7\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"PR.IP\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Spearphishing Attachment\"\n ],\n \"mitre_attack_tactics\": [\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"Windshift\",\n \"APT33\",\n \"Sandworm Team\",\n \"Naikon\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Mofang\",\n \"Wizard Spider\",\n \"RTM\",\n \"Frankenstein\",\n \"Inception\",\n \"BlackTech\",\n \"APT-C-36\",\n \"APT41\",\n \"Machete\",\n \"admin@338\",\n \"Kimsuky\",\n \"APT12\",\n \"TA505\",\n \"Silence\",\n \"The White Company\",\n \"APT39\",\n \"FIN4\",\n \"Darkhotel\",\n \"Gallmaker\",\n \"Tropic Trooper\",\n \"Turla\",\n \"Gorgon Group\",\n \"Rancor\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"FIN7\",\n \"OilRig\",\n \"Lazarus Group\",\n \"APT19\",\n \"Dragonfly 2.0\",\n \"BRONZE BUTLER\",\n \"APT32\",\n \"FIN8\",\n \"MuddyWater\",\n \"APT28\",\n \"TA459\",\n \"Leviathan\",\n \"Patchwork\",\n \"PLATINUM\",\n \"Elderwood\",\n \"APT29\",\n \"APT37\",\n \"menuPass\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true\",\n \"description\": \"This macro limits the output to email attachments that have suspicious extensions\",\n \"name\": \"suspicious_email_attachments\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_email_attachment_extensions_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious GCP Storage Activities\",\n \"id\": \"4d656b2e-d6be-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-08-05\",\n \"description\": \"Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.\",\n \"narrative\": \"Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.\",\n \"author\": \"Shannon Davis, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security\",\n \"https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious GCP Storage Activities\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect GCP Storage access from a new IP\",\n \"id\": \"ccc3246a-daa1-11ea-87d0-0242ac130022\",\n \"version\": 1,\n \"date\": \"2020-08-10\",\n \"description\": \"This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket.\",\n \"how_to_implement\": \"This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status=\\\"\\\\\\\"200\\\\\\\"\\\" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip.csv | eval newIP=if(firstTime >= relative_time(now(),\\\"-70m@m\\\"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,\\\"%m/%d/%y %H:%M:%S\\\") | eval last_time=strftime(lastTime,\\\"%m/%d/%y %H:%M:%S\\\") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`\",\n \"known_false_positives\": \"GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious GCP Storage Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"cis20\": [\n \"CIS 13\",\n \"CIS 14\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"GCP Storage Bucket\",\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_gcp_storage_access_from_a_new_ip_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect New Open GCP Storage Buckets\",\n \"id\": \"f6ea3466-d6bb-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-08-05\",\n \"description\": \"This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket.\",\n \"how_to_implement\": \"This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`\",\n \"known_false_positives\": \"While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the \\\"allUsers\\\" group.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious GCP Storage Activities\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"mitre_attack_id\": [\n \"T1530\"\n ],\n \"cis20\": [\n \"CIS 13\"\n ],\n \"nist\": [\n \"PR.DS\",\n \"PR.AC\",\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"GCP Storage Bucket\",\n \"mitre_attack_technique\": [\n \"Data from Cloud Storage Object\"\n ],\n \"mitre_attack_tactics\": [\n \"Collection\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_new_open_gcp_storage_buckets_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious MSHTA Activity\",\n \"id\": \"2b1800dd-92f9-47dd-a981-fdf13w1q5d55\",\n \"version\": 1,\n \"date\": \"2020-02-03\",\n \"description\": \"Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.\",\n \"narrative\": \"One common adversary tactic is to bypass application white-listing solutions via the mshta.exe process, which executes Microsoft HTML applications with the .hta suffix. In these cases, attackers use the trusted Windows utility to eproxy execution of malicious files, whether an .hta application, javascript, or VBScript.\\\\\\nOne example of a notable mshta.exe attack was the Kovter malware (https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5) that was implicated in ransomware and click-fraud attacks. Kovter utilized .hta to execute a series of javascript commands, each progressively more dangerous. According to the Mitre Parternship Network (https://attack.mitre.org/wiki/Technique/T1170), FIN7 has leveraged mshta.exe, as has the MuddyWater group, who used it to execute its POWERSTATS payload (which then used the utility to execute additional payloads).\\\\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://redcanary.com/blog/windows-registry-attacks-threat-detection/\",\n \"https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5\",\n \"https://attack.mitre.org/wiki/Technique/T1170\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious MSHTA Activity\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\",\n \"T1059.003\"\n ],\n \"mitre_attack_technique\": [\n \"Windows Command Shell\",\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Execution\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Putter Panda\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Rocke\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Honeybee\",\n \"Gamaredon Group\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"Cobalt Group\",\n \"APT18\",\n \"FIN10\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"APT28\",\n \"Turla\",\n \"Rancor\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"APT38\",\n \"APT29\",\n \"Sowbug\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"Machete\",\n \"APT33\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"admin@338\",\n \"Inception\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"APT3\",\n \"Darkhotel\",\n \"Leviathan\",\n \"OilRig\",\n \"Threat Group-1314\",\n \"FIN6\",\n \"TA505\",\n \"Ke3chang\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect mshta exe running scripts in command-line arguments\",\n \"id\": \"b89919ed-fe5f-492c-b139-95dqb161039e\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the execution of \\\"mshta.exe\\\" with command-line arguments that launch a script. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \\\"mshta.exe\\\" and its parent process.\",\n \"how_to_implement\": \"To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mshta.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*vbscript* OR process=*javascript*) | `detect_mshta_exe_running_scripts_in_command_line_arguments_filter`\",\n \"known_false_positives\": \"Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious MSHTA Activity\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_mshta_exe_running_scripts_in_command_line_arguments_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Prohibited Applications Spawning cmd exe\",\n \"id\": \"dcfd6b40-42f9-469d-a433-2e53f7486664\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts and populates the Endpoint data model with the resultant dataset. This search includes a lookup file, `prohibited_apps_launching_cmd.csv`, that contains a list of processes that should not be spawning cmd.exe. You can modify this lookup to better suit your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.parent_process_name Processes.process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] | `detect_prohibited_applications_spawning_cmd_exe_filter`\",\n \"known_false_positives\": \"There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\",\n \"Suspicious Zoom Child Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\\\"*\\\" . parent_process_name | table parent_process_name\",\n \"description\": \"This macro outputs a list of process that should not be the parent process of cmd.exe\",\n \"name\": \"prohibited_apps_launching_cmd\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_prohibited_applications_spawning_cmd_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Persistence\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01a4b\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for modifications to registry keys that can be used to launch an application or service at system startup.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\\\\\\\run* OR Registry.registry_path=*currentVersion\\\\\\\\Windows\\\\\\\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet* OR Registry.registry_path=*currentversion\\\\\\\\policies\\\\\\\\explorer\\\\\\\\run* OR Registry.registry_path=*currentversion\\\\\\\\runservices* OR Registry.registry_path=*\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\* OR Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\" OR Registry.registry_path=HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Netsh\\\\\\\\*) by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_persistence_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Suspicious MSHTA Activity\",\n \"DHS Report TA18-074A\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Windows Persistence Techniques\",\n \"Emotet Malware DHS Report TA18-201A \"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_persistence_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious Okta Activity\",\n \"id\": \"9cbd34af-8f39-4476-a423-bacd126c750b\",\n \"version\": 1,\n \"date\": \"2020-04-02\",\n \"description\": \"Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.\",\n \"narrative\": \"Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom. \\\\\\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important. \\\\\\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/wiki/Technique/T1078\",\n \"https://owasp.org/www-community/attacks/Credential_stuffing\",\n \"https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious Okta Activity\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1078.001\"\n ],\n \"mitre_attack_technique\": [\n \"Default Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Multiple Okta Users With Invalid Credentails From The Same IP\",\n \"id\": \"19cba45f-cad3-4032-8911-0c09e0444552\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search detects Okta login failures due to bad credentials for multiple users originating from the same ip address.\",\n \"how_to_implement\": \"This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.\",\n \"type\": \"ESCU\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`okta` outcome.reason=INVALID_CREDENTIALS | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(user) as distinct_users values(user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5| `multiple_okta_users_with_invalid_credentails_from_the_same_ip_filter` \",\n \"known_false_positives\": \"A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro XXXXXXXXXXXXX to raise the threshold or except specific IP adresses from triggering this search.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Okta Activity\"\n ],\n \"mitre_attack_id\": [\n \"T1078.001\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Default Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=okta_log\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"okta\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"multiple_okta_users_with_invalid_credentails_from_the_same_ip_filter\"\n }\n ]\n },\n {\n \"name\": \"Okta Account Lockout Events\",\n \"id\": \"62b70968-a0a5-4724-8ac4-67871e6f544d\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"Detect Okta user lockout events\",\n \"how_to_implement\": \"This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.\",\n \"type\": \"ESCU\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`okta` displayMessage=\\\"Max sign in attempts exceeded\\\" | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, country, state, city, src_ip | `okta_account_lockout_events_filter` \",\n \"known_false_positives\": \"None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Okta Activity\"\n ],\n \"mitre_attack_id\": [\n \"T1078.001\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Default Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=okta_log\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"okta\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"okta_account_lockout_events_filter\"\n }\n ]\n },\n {\n \"name\": \"Okta Failed SSO Attempts\",\n \"id\": \"371a6545-2618-4032-ad84-93386b8698c5\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"Detect failed Okta SSO events\",\n \"how_to_implement\": \"This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.\",\n \"type\": \"ESCU\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`okta` displayMessage=\\\"User attempted unauthorized access to app\\\" | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter` \",\n \"known_false_positives\": \"There may be a faulty config preventing legitmate users from accessing apps they should have access to.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Okta Activity\"\n ],\n \"mitre_attack_id\": [\n \"T1078.001\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Default Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=okta_log\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"okta\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"okta_failed_sso_attempts_filter\"\n }\n ]\n },\n {\n \"name\": \"Okta User Logins From Multiple Cities\",\n \"id\": \"7594fa07-9f34-4d01-81cc-d6af6a5db9e8\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search detects logins from the same user from different states in a 24 hour period.\",\n \"how_to_implement\": \"This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.\",\n \"type\": \"ESCU\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`okta` displayMessage=\\\"User login to Okta\\\" client.geographicalContext.city!=null | stats min(_time) as firstTime max(_time) as lastTime dc(client.geographicalContext.city) as locations values(client.geographicalContext.city) as cities values(client.geographicalContext.state) as states by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `okta_user_logins_from_multiple_cities_filter` | search locations > 1\",\n \"known_false_positives\": \"Users in your enviornment may legitmately be travelling and loggin in from different locations. This search is useful for those users that should *not* be travelling for some reason, such as the COVID-19 pandemic. The search also relies on the geographical information being populated in the Okta logs. It is also possible that a connection from another region may be attributed to a login from a remote VPN endpoint.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Okta Activity\"\n ],\n \"mitre_attack_id\": [\n \"T1078.001\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"access\",\n \"asset_type\": \"Infrastructure\",\n \"mitre_attack_technique\": [\n \"Default Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=okta_log\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"okta\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"okta_user_logins_from_multiple_cities_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious Windows Registry Activities\",\n \"id\": \"2b1800dd-92f9-47dd-a981-fdf1351e5d55\",\n \"version\": 1,\n \"date\": \"2018-05-31\",\n \"description\": \"Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.\",\n \"narrative\": \"Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\\\\\\n The registry is a key component of the Windows operating system. It has a hierarchical database called \\\"registry\\\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\\\\\\n The searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://redcanary.com/blog/windows-registry-attacks-threat-detection/\",\n \"https://attack.mitre.org/wiki/Technique/T1112\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious Windows Registry Activities\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\",\n \"T1546.011\",\n \"T1546.001\",\n \"T1112\"\n ],\n \"mitre_attack_technique\": [\n \"Change Default File Association\",\n \"Registry Run Keys / Startup Folder\",\n \"Modify Registry\",\n \"Application Shimming\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Putter Panda\",\n \"Dragonfly 2.0\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Gamaredon Group\",\n \"APT41\",\n \"Honeybee\",\n \"BRONZE BUTLER\",\n \"Threat Group-3390\",\n \"Cobalt Group\",\n \"APT18\",\n \"FIN10\",\n \"APT32\",\n \"Tropic Trooper\",\n \"Patchwork\",\n \"Turla\",\n \"Ke3chang\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"APT38\",\n \"APT29\",\n \"Silence\",\n \"APT19\",\n \"Molerats\",\n \"APT37\",\n \"Blue Mockingbird\",\n \"Machete\",\n \"Gorgon Group\",\n \"APT39\",\n \"Magic Hound\",\n \"Inception\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"FIN6\",\n \"Rocke\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Disabling Remote User Account Control\",\n \"id\": \"bbc644bc-37df-4e1a-9c88-ec9a53e2038c\",\n \"version\": 3,\n \"date\": \"2020-03-02\",\n \"description\": \"The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=\\\"*Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\LocalAccountTokenFilterPolicy\\\" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`\",\n \"known_false_positives\": \"This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1112\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Modify Registry\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Turla\",\n \"APT32\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Honeybee\",\n \"Patchwork\",\n \"Gorgon Group\",\n \"FIN8\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"disabling_remote_user_account_control_filter\"\n }\n ]\n },\n {\n \"name\": \"Monitor Registry Keys for Print Monitors\",\n \"id\": \"f5f6af30-7ba7-4295-bfe9-07de87c01bbc\",\n \"version\": 1,\n \"date\": \"2018-11-02\",\n \"description\": \"This search looks for registry activity associated with modifications to the registry key `HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.action=modified AND Registry.registry_path=\\\"*CurrentControlSet\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors*\\\" by Registry.dest, Registry.registry_key_name Registry.status Registry.user Registry.registry_path Registry.action | `drop_dm_object_name(Registry)` | `monitor_registry_keys_for_print_monitors_filter`\",\n \"known_false_positives\": \"You will encounter noise from legitimate print-monitor registry entries.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"monitor_registry_keys_for_print_monitors_filter\"\n }\n ]\n },\n {\n \"name\": \"Reg exe used to hide files directories via registry keys\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6b5264x9f\",\n \"version\": 2,\n \"date\": \"2019-02-27\",\n \"description\": \"The search looks for command-line arguments used to hide a file or directory using the reg add command.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process=\\\"*add*\\\" Processes.process=\\\"*Hidden*\\\" Processes.process=\\\"*REG_DWORD*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = \\\"(/d\\\\s+2)\\\" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`\",\n \"known_false_positives\": \"None at the moment\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"reg_exe_used_to_hide_files_directories_via_registry_keys_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys for Creating SHIM Databases\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01bbb\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.\",\n \"how_to_implement\": \"To successfully implement this search, you must populate the Change_Analysis data model. This is typically populated via endpoint detection and response products, such as Carbon Black or other endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path=\\\"*CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom*\\\" OR All_Changes.object_path=\\\"*CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\InstalledSDB*\\\") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `drop_dm_object_name(\\\"All_Changes\\\")` | `registry_keys_for_creating_shim_databases_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1546.011\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Application Shimming\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_for_creating_shim_databases_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Persistence\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01a4b\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for modifications to registry keys that can be used to launch an application or service at system startup.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\\\\\\\run* OR Registry.registry_path=*currentVersion\\\\\\\\Windows\\\\\\\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet* OR Registry.registry_path=*currentversion\\\\\\\\policies\\\\\\\\explorer\\\\\\\\run* OR Registry.registry_path=*currentversion\\\\\\\\runservices* OR Registry.registry_path=*\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\* OR Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\" OR Registry.registry_path=HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Netsh\\\\\\\\*) by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_persistence_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Suspicious MSHTA Activity\",\n \"DHS Report TA18-074A\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Windows Persistence Techniques\",\n \"Emotet Malware DHS Report TA18-201A \"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_persistence_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Privilege Escalation\",\n \"id\": \"c9f4b923-f8af-4155-b697-1354f5bcbc5e\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under \\\"Image File Execution Options\\\" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/\"\n ],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) by Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_privilege_escalation_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Privilege Escalation\",\n \"Suspicious Windows Registry Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_privilege_escalation_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Registry Key modifications\",\n \"id\": \"c9f4b923-f8af-4155-b697-1354f5dcbc5e\",\n \"version\": 3,\n \"date\": \"2020-03-02\",\n \"description\": \"This search monitors for remote modifications to registry keys.\",\n \"how_to_implement\": \"To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=\\\"\\\\\\\\\\\\\\\\*\\\" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`\",\n \"known_false_positives\": \"This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_registry_key_modifications_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Changes to File Associations\",\n \"id\": \"1b989a0e-0129-4446-a695-f193a5b746fc\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.\",\n \"how_to_implement\": \"To successfully implement this search you need to be ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` nodes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\\\\\\\Explorer\\\\\\\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name(\\\"Registry\\\")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` \",\n \"known_false_positives\": \"There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Windows File Extension and Association Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1546.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"PR.PT\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Change Default File Association\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"Kimsuky\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_changes_to_file_associations_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious WMI Use\",\n \"id\": \"c8ddc5be-69bc-4202-b3ab-4010b27d7ad5\",\n \"version\": 2,\n \"date\": \"2018-10-23\",\n \"description\": \"Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.\",\n \"narrative\": \"WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. \\\\\\nThe detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems.\\\\\\nIn the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf\",\n \"https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious WMI Use\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\",\n \"T1047\"\n ],\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\",\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"Lazarus Group\",\n \"Stolen Pencil\",\n \"APT41\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"Cobalt Group\",\n \"FIN10\",\n \"APT32\",\n \"TEMP.Veles\",\n \"Patchwork\",\n \"Deep Panda\",\n \"FIN8\",\n \"APT29\",\n \"Silence\",\n \"menuPass\",\n \"Blue Mockingbird\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Axiom\",\n \"APT3\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Process Execution via WMI\",\n \"id\": \"24869767-8579-485d-9a4f-d9ddfd8f0cac\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"This search looks for processes launched via WMI.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name = *WmiPrvSE.exe by Processes.user Processes.dest Processes.process_name | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `process_execution_via_wmi_filter` \",\n \"known_false_positives\": \"Although unlikely, administrators may use wmi to execute commands for legitimate purposes.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"process_execution_via_wmi_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Process Instantiation via WMI\",\n \"id\": \"d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for wmic.exe being launched with parameters to spawn a process on a remote system.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wmic.exe Processes.process=\\\"*/node*\\\" Processes.process=\\\"*process*\\\" Processes.process=\\\"*call*\\\" Processes.process=\\\"*create*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`\",\n \"known_false_positives\": \"The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon.\",\n \"tags\": {\n \"analytics_story\": [\n \"Ransomware\",\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1021.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Remote Desktop Protocol\"\n ],\n \"mitre_attack_tactics\": [\n \"Lateral Movement\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"TEMP.Veles\",\n \"Leviathan\",\n \"APT39\",\n \"Stolen Pencil\",\n \"Cobalt Group\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"APT3\",\n \"OilRig\",\n \"menuPass\",\n \"FIN10\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"APT1\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_process_instantiation_via_wmi_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote WMI Command Attempt\",\n \"id\": \"272df6de-61f1-4784-877c-1fbc3e2d0838\",\n \"version\": 2,\n \"date\": \"2018-12-03\",\n \"description\": \"This search looks for wmic.exe being launched with parameters to operate on remote systems.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe AND Processes.process= */node* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`\",\n \"known_false_positives\": \"Administrators may use this legitimately to gather info from remote systems.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_wmi_command_attempt_filter\"\n }\n ]\n },\n {\n \"name\": \"Script Execution via WMI\",\n \"id\": \"aa73f80d-d728-4077-b226-81ea0c8be589\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"This search looks for scripts launched via WMI.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name = \\\"scrcons.exe\\\" by Processes.user Processes.dest Processes.process_name | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `script_execution_via_wmi_filter` \",\n \"known_false_positives\": \"Although unlikely, administrators may use wmi to launch scripts for legitimate purposes.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"script_execution_via_wmi_filter\"\n }\n ]\n },\n {\n \"name\": \"WMI Permanent Event Subscription\",\n \"id\": \"71bfdb13-f200-4c6c-b2c9-a2e07adf437d\",\n \"version\": 1,\n \"date\": \"2018-10-23\",\n \"description\": \"This search looks for the creation of WMI permanent event subscriptions.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`wmi` EventCode=5861 Binding | rex field=Message \\\"Consumer =\\\\s+(?[^;|^$]+)\\\" | search consumer!=\\\"NTEventLogEventConsumer=\\\\\\\"SCM Event Log Consumer\\\\\\\"\\\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer, Message | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | rename ComputerName as dest | `wmi_permanent_event_subscription_filter`\",\n \"known_false_positives\": \"Although unlikely, administrators may use event subscriptions for legitimate purposes.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"wineventlog:microsoft-windows-wmi-activity/operational\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wmi\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"wmi_permanent_event_subscription_filter\"\n }\n ]\n },\n {\n \"name\": \"WMI Permanent Event Subscription - Sysmon\",\n \"id\": \"ad05aae6-3b2a-4f73-af97-57bd26cee3b9\",\n \"version\": 1,\n \"date\": \"2018-10-23\",\n \"description\": \"This search looks for the creation of WMI permanent event subscriptions.\",\n \"how_to_implement\": \"To successfully implement this search, you must be collecting Sysmon data using Sysmon version 6.1 or greater and have Sysmon configured to generate alerts for WMI activity. In addition, you must have at least version 6.0.4 of the Sysmon TA installed to properly parse the fields.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`\",\n \"known_false_positives\": \"Although unlikely, administrators may use event subscriptions for legitimate purposes.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"wmi_permanent_event_subscription___sysmon_filter\"\n }\n ]\n },\n {\n \"name\": \"WMI Temporary Event Subscription\",\n \"id\": \"38cbd42c-1098-41bb-99cf-9d6d2b296d83\",\n \"version\": 1,\n \"date\": \"2018-10-23\",\n \"description\": \"This search looks for the creation of WMI temporary event subscriptions.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"`wmi` EventCode=5860 Temporary | rex field=Message \\\"NotificationQuery =\\\\s+(?[^;|^$]+)\\\" | search query!=\\\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'\\\" AND query!=\\\"SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'\\\" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, query | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `wmi_temporary_event_subscription_filter`\",\n \"known_false_positives\": \"Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious WMI Use\"\n ],\n \"mitre_attack_id\": [\n \"T1047\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"PR.AT\",\n \"PR.AC\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Management Instrumentation\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT41\",\n \"FIN6\",\n \"Soft Cell\",\n \"APT32\",\n \"MuddyWater\",\n \"OilRig\",\n \"Threat Group-3390\",\n \"FIN8\",\n \"Leviathan\",\n \"menuPass\",\n \"Stealth Falcon\",\n \"Lazarus Group\",\n \"APT29\",\n \"Deep Panda\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"wineventlog:microsoft-windows-wmi-activity/operational\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wmi\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"wmi_temporary_event_subscription_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Suspicious Zoom Child Processes\",\n \"id\": \"aa3749a6-49c7-491e-a03f-4eaee5fe0258\",\n \"version\": 1,\n \"date\": \"2020-04-13\",\n \"description\": \"Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.\",\n \"narrative\": \"Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\\\\\\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/\",\n \"https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Suspicious Zoom Child Processes\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1068\",\n \"T1059.003\"\n ],\n \"mitre_attack_technique\": [\n \"Windows Command Shell\",\n \"Exploitation for Privilege Escalation\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Honeybee\",\n \"Gamaredon Group\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"Cobalt Group\",\n \"APT18\",\n \"FIN10\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"APT28\",\n \"Turla\",\n \"Rancor\",\n \"Whitefly\",\n \"FIN8\",\n \"APT38\",\n \"Sowbug\",\n \"Silence\",\n \"APT37\",\n \"menuPass\",\n \"Blue Mockingbird\",\n \"Suckfly\",\n \"APT33\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"admin@338\",\n \"PLATINUM\",\n \"Dark Caracal\",\n \"APT3\",\n \"Darkhotel\",\n \"Leviathan\",\n \"OilRig\",\n \"Threat Group-1314\",\n \"FIN6\",\n \"TA505\",\n \"Ke3chang\",\n \"APT1\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect Prohibited Applications Spawning cmd exe\",\n \"id\": \"dcfd6b40-42f9-469d-a433-2e53f7486664\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts and populates the Endpoint data model with the resultant dataset. This search includes a lookup file, `prohibited_apps_launching_cmd.csv`, that contains a list of processes that should not be spawning cmd.exe. You can modify this lookup to better suit your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.parent_process_name Processes.process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] | `detect_prohibited_applications_spawning_cmd_exe_filter`\",\n \"known_false_positives\": \"There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\",\n \"Suspicious Zoom Child Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1059.003\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Command Shell\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"TA505\",\n \"Blue Mockingbird\",\n \"Tropic Trooper\",\n \"Frankenstein\",\n \"OilRig\",\n \"Lazarus Group\",\n \"Honeybee\",\n \"Cobalt Group\",\n \"FIN7\",\n \"APT41\",\n \"Soft Cell\",\n \"Turla\",\n \"Silence\",\n \"APT32\",\n \"APT39\",\n \"Darkhotel\",\n \"MuddyWater\",\n \"APT18\",\n \"APT38\",\n \"Dark Caracal\",\n \"Gorgon Group\",\n \"Dragonfly 2.0\",\n \"Rancor\",\n \"Ke3chang\",\n \"APT37\",\n \"Leviathan\",\n \"FIN8\",\n \"APT28\",\n \"Magic Hound\",\n \"Sowbug\",\n \"BRONZE BUTLER\",\n \"FIN10\",\n \"Threat Group-3390\",\n \"menuPass\",\n \"Gamaredon Group\",\n \"Suckfly\",\n \"Patchwork\",\n \"Threat Group-1314\",\n \"APT3\",\n \"admin@338\",\n \"APT1\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\\\"*\\\" . parent_process_name | table parent_process_name\",\n \"description\": \"This macro outputs a list of process that should not be the parent process of cmd.exe\",\n \"name\": \"prohibited_apps_launching_cmd\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_prohibited_applications_spawning_cmd_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"First Time Seen Child Process of Zoom\",\n \"id\": \"e91bd102-d630-4e76-ab73-7e3ba22c5961\",\n \"version\": 1,\n \"date\": \"2020-05-20\",\n \"description\": \"This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You should run the baseline search `Previously Seen Zoom Child Processes - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Zoom Child Processes - Update` to keep this table up to date and to age out old child processes. Please update the `previously_seen_zoom_child_processes_window` macro to adjust the time window.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \\\"`previously_seen_zoom_child_processes_window`\\\") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`\",\n \"known_false_positives\": \"A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Zoom Child Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1068\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exploitation for Privilege Escalation\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Whitefly\",\n \"APT33\",\n \"Cobalt Group\",\n \"PLATINUM\",\n \"FIN8\",\n \"APT32\",\n \"Threat Group-3390\",\n \"FIN6\",\n \"APT28\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Zoom Child Processes - Initial\",\n \"id\": \"60b9c00f-a9d6-4e51-803c-5d63ea21b95b\",\n \"version\": 1,\n \"date\": \"2020-05-20\",\n \"description\": \"This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS). This table is then cached.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time) as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest| `drop_dm_object_name(Processes)` | table dest, process_name, firstTimeSeen, lastTimeSeen | outputlookup zoom_first_time_child_process\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Zoom Child Processes\"\n ],\n \"detections\": [\n \"First Time Seen Child Process of Zoom\"\n ],\n \"deployments\": [\n \"90 Day Baseline\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Zoom Child Processes - Update\",\n \"id\": \"80aea7fd-5da2-4533-b3c2-560533bfbaee\",\n \"version\": 1,\n \"date\": \"2020-05-20\",\n \"description\": \"This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS) within the last hour. It then updates this information with historical data and filters out proces_name and endpoint pairs that have not been seen within the specified time window. This updated table is outputed to disk.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time) as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest| `drop_dm_object_name(Processes)` | table firstTimeSeen, lastTimeSeen, process_name, dest | inputlookup zoom_first_time_child_process append=t | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by process_name, dest | where lastTimeSeen > relative_time(now(), \\\"`previously_seen_zoom_child_processes_forget_window`\\\") | outputlookup zoom_first_time_child_process\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Zoom Child Processes\"\n ],\n \"detections\": [\n \"First Time Seen Child Process of Zoom\"\n ],\n \"deployments\": [\n \"Hourly Cache Updates\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"description\": \"Use this macro to determine how far back you should be checking for new zoom child processes\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_zoom_child_processes_window\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_child_process_of_zoom_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Unusual AWS EC2 Modifications\",\n \"id\": \"73de57ef-0dfc-411f-b1e7-fa24428aeae0\",\n \"version\": 1,\n \"date\": \"2018-04-09\",\n \"description\": \"Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.\",\n \"narrative\": \"A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised. \\\\\\n Searches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf\"\n ],\n \"tags\": {\n \"analytics_story\": \"Unusual AWS EC2 Modifications\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Cloud Security\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"EC2 Instance Modified With Previously Unseen User\",\n \"id\": \"56f91724-cf3f-4666-84e1-e3712fb41e76\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for EC2 instances being modified by users who have not previously modified them.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the \\\"Previously Seen EC2 Launches By User\\\" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), \\\"-70m@m\\\"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`\",\n \"known_false_positives\": \"It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Unusual AWS EC2 Modifications\"\n ],\n \"mitre_attack_id\": [\n \"T1078.004\"\n ],\n \"cis20\": [\n \"CIS 1\"\n ],\n \"nist\": [\n \"ID.AM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"AWS Instance\",\n \"mitre_attack_technique\": [\n \"Cloud Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"APT33\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen EC2 Modifications By User\",\n \"id\": \"4d69091b-d975-4267-85df-888bd41034eb\",\n \"version\": 1,\n \"date\": \"2018-04-05\",\n \"description\": \"This search builds a table of previously seen ARNs that have launched a EC2 instance.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` `ec2_modification_api_calls` errorCode=success | spath output=arn userIdentity.arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Unusual AWS EC2 Modifications\"\n ],\n \"detections\": [\n \"EC2 Instance Modified With Previously Unseen User\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=GetConsoleOutput OR eventName=GetConsoleScreenshot OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)\",\n \"description\": \"This is a list of AWS event names that have to do with modifying Amazon EC2 instances\",\n \"name\": \"ec2_modification_api_calls\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"ec2_instance_modified_with_previously_unseen_user_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Unusual Processes\",\n \"id\": \"f4368e3f-d59f-4192-84f6-748ac5a3ddb6\",\n \"version\": 2,\n \"date\": \"2020-02-04\",\n \"description\": \"Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.\",\n \"narrative\": \"Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\\\\\\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\\\\\\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html\",\n \"https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf\",\n \"https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262\"\n ],\n \"tags\": {\n \"analytics_story\": \"Unusual Processes\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1218.011\",\n \"T1036\",\n \"T1204.002\"\n ],\n \"mitre_attack_technique\": [\n \"Rundll32\",\n \"Malicious File\",\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Dragonfly 2.0\",\n \"FIN7\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"Gamaredon Group\",\n \"Naikon\",\n \"Frankenstein\",\n \"TA459\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"APT32\",\n \"Tropic Trooper\",\n \"Patchwork\",\n \"APT28\",\n \"Rancor\",\n \"CopyKittens\",\n \"Whitefly\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"APT29\",\n \"Sandworm Team\",\n \"Gallmaker\",\n \"Silence\",\n \"APT19\",\n \"Molerats\",\n \"APT37\",\n \"menuPass\",\n \"Blue Mockingbird\",\n \"APT-C-36\",\n \"Machete\",\n \"APT39\",\n \"admin@338\",\n \"Magic Hound\",\n \"Gorgon Group\",\n \"Inception\",\n \"PLATINUM\",\n \"Windshift\",\n \"APT12\",\n \"The White Company\",\n \"Elderwood\",\n \"Dark Caracal\",\n \"Carbanak\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"Mofang\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN4\",\n \"BlackTech\",\n \"TA505\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect processes used for System Network Configuration Discovery\",\n \"id\": \"a51bfe1a-94f0-48cc-b1e4-16ae10145893\",\n \"version\": 1,\n \"date\": \"2018-11-20\",\n \"description\": \"This search looks for fast execution of processes used for system network configuration discovery on the endpoint.\",\n \"how_to_implement\": \"You must be ingesting data that records registry activity from your hosts to populate the Endpoint data model in the processes node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report reads and writes to the registry or that are populated via Windows event logs, after enabling process tracking in your Windows audit settings.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`\",\n \"known_false_positives\": \"It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives.\",\n \"tags\": {\n \"analytics_story\": [\n \"Unusual Processes\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"(process_name= \\\"arp.exe\\\" OR process_name= \\\"at.exe\\\" OR process_name= \\\"attrib.exe\\\" OR process_name= \\\"cscript.exe\\\" OR process_name= \\\"dsquery.exe\\\" OR process_name= \\\"hostname.exe\\\" OR process_name= \\\"ipconfig.exe\\\" OR process_name= \\\"mimikatz.exe\\\" OR process_name= \\\"nbstat.exe\\\" OR process_name= \\\"net.exe\\\" OR process_name= \\\"netsh.exe\\\" OR process_name= \\\"nslookup.exe\\\" OR process_name= \\\"ping.exe\\\" OR process_name= \\\"quser.exe\\\" OR process_name= \\\"qwinsta.exe\\\" OR process_name= \\\"reg.exe\\\" OR process_name= \\\"runas.exe\\\" OR process_name= \\\"sc.exe\\\" OR process_name= \\\"schtasks.exe\\\" OR process_name= \\\"ssh.exe\\\" OR process_name= \\\"systeminfo.exe\\\" OR process_name= \\\"taskkill.exe\\\" OR process_name= \\\"telnet.exe\\\" OR process_name= \\\"tracert.exe\\\" OR process_name=\\\"wscript.exe\\\" OR process_name= \\\"xcopy.exe\\\")\",\n \"description\": \"This macro is a list of process that can be used to discover the network configuration\",\n \"name\": \"system_network_configuration_discovery_tools\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_processes_used_for_system_network_configuration_discovery_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Rare Executables\",\n \"id\": \"44fddcb2-8d3b-454c-874e-7c6de5a4f7ac\",\n \"version\": 5,\n \"date\": \"2020-03-16\",\n \"description\": \"This search will return a table of rare processes, the names of the systems running them, and the users who initiated each process.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts and populating the endpoint data model with the resultant dataset. The macro `filter_rare_process_whitelist` searches two lookup files to whitelist your processes. These consist of `rare_process_whitelist_default.csv` and `rare_process_whitelist_local.csv`. To add your own processes to the whitelist, add them to `rare_process_whitelist_local.csv`. If you wish to remove an entry from the default lookup file, you will have to modify the macro itself to set the whitelist value for that process to false. You can modify the limit parameter and search scheduling to better suit your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | rename Processes.process_name as process | rex field=user \\\"(?.*)\\\\\\\\\\\\\\\\(?.*)\\\" | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search [| tstats count from datamodel=Endpoint.Processes by Processes.process_name | rare Processes.process_name limit=30 | rename Processes.process_name as process| `filter_rare_process_whitelist`| table process ] | `detect_rare_executables_filter` \",\n \"known_false_positives\": \"Some legitimate processes may be only rarely executed in your environment. As these are identified, update `rare_process_whitelist_local.csv` to filter them out of your search results.\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Unusual Processes\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Command and Control\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.PT\",\n \"PR.DS\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup update=true lookup_rare_process_whitelist_default process as process OUTPUTNEW whitelist | where whitelist=\\\"false\\\" | lookup update=true lookup_rare_process_whitelist_local process as process OUTPUT whitelist | where whitelist=\\\"false\\\"\",\n \"description\": \"This macro is intended to whitelist processes that have been definied as rare\",\n \"name\": \"filter_rare_process_whitelist\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_rare_executables_filter\"\n }\n ]\n },\n {\n \"name\": \"RunDLL Loading DLL By Ordinal\",\n \"id\": \"6c135f8d-5e60-454e-80b7-c56eed739833\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for DLLs under %AppData% being loaded by rundll32.exe that are calling the exported function at ordinal 2. Calling exported functions by ordinal is not as common as calling by exported name. There was a bug fixed in IDAPro on 2016-08-08 that would not display functions without names. Calling functions by ordinal would overcome the lack of name and make it harder for analyst to reverse engineer.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = rundll32.exe Processes.process=\\\"*AppData*\\\" Processes.process=\\\"*,#2\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll_loading_dll_by_ordinal_filter`\",\n \"known_false_positives\": \"While not common, loading a DLL under %AppData% and calling a function by ordinal is possible by a legitimate process\",\n \"tags\": {\n \"analytics_story\": [\n \"Unusual Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1218.011\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Rundll32\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"Sandworm Team\",\n \"Blue Mockingbird\",\n \"TA505\",\n \"MuddyWater\",\n \"APT29\",\n \"APT19\",\n \"CopyKittens\",\n \"APT3\",\n \"Carbanak\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"rundll_loading_dll_by_ordinal_filter\"\n }\n ]\n },\n {\n \"name\": \"System Processes Run From Unexpected Locations\",\n \"id\": \"a34aae96-ccf8-4aef-952c-3ea21444444d\",\n \"version\": 5,\n \"date\": \"2020-02-04\",\n \"description\": \"This search looks for system processes that normally run out of C:\\\\Windows\\\\System32\\\\ or C:\\\\Windows\\\\SysWOW64 that are not run from that location. This can indicate a malicious process that is trying to hide as a legitimate process.\",\n \"how_to_implement\": \"To successfully implement this search you need to ingest details about process execution from your hosts. Specifically, this search requires the process name and the full path to the process executable.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !=\\\"C:\\\\\\\\Windows\\\\\\\\System32*\\\" Processes.process_path !=\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64*\\\" by Processes.user Processes.dest Processes.process_name Processes.process_id Processes.process_path Processes.parent_process_name Processes.process_hash| `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `is_windows_system_file` | `system_processes_run_from_unexpected_locations_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true\",\n \"description\": \"This macro limits the output to process names that are in the Windows System directory\",\n \"name\": \"is_windows_system_file\"\n },\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"system_processes_run_from_unexpected_locations_filter\"\n }\n ]\n },\n {\n \"name\": \"Uncommon Processes On Endpoint\",\n \"id\": \"29ccce64-a10c-4389-a45f-337cb29ba1f7\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for applications on the endpoint that you have marked as uncommon.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. This search uses a lookup file `uncommon_processes_default.csv` to track various features of process names that are usually uncommon in most environments. Please consider updating `uncommon_processes_local.csv` to hunt for processes that are uncommon in your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter` \",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Privilege Escalation\",\n \"Unusual Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1204.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Malicious File\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"Windshift\",\n \"APT33\",\n \"Sandworm Team\",\n \"Naikon\",\n \"Whitefly\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Mofang\",\n \"Frankenstein\",\n \"RTM\",\n \"Inception\",\n \"BlackTech\",\n \"APT-C-36\",\n \"Machete\",\n \"admin@338\",\n \"APT12\",\n \"TA505\",\n \"Silence\",\n \"The White Company\",\n \"APT39\",\n \"FIN4\",\n \"Darkhotel\",\n \"Gallmaker\",\n \"APT19\",\n \"Dragonfly 2.0\",\n \"BRONZE BUTLER\",\n \"Cobalt Group\",\n \"DarkHydrus\",\n \"Gorgon Group\",\n \"Patchwork\",\n \"OilRig\",\n \"Dark Caracal\",\n \"MuddyWater\",\n \"Lazarus Group\",\n \"FIN7\",\n \"APT32\",\n \"Rancor\",\n \"APT37\",\n \"FIN8\",\n \"APT28\",\n \"Elderwood\",\n \"TA459\",\n \"APT29\",\n \"Leviathan\",\n \"menuPass\",\n \"PLATINUM\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true\",\n \"description\": \"This macro limits the output to processes that have been marked as uncommon\",\n \"name\": \"uncommon_processes\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"uncommon_processes_on_endpoint_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Command Line\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6a4264e7f\",\n \"version\": 4,\n \"date\": \"2020-03-16\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the process field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` | eval threshold = 10 | where maxlen > ((threshold*stdevperhost) + avgperhost)\",\n \"known_false_positives\": \"Some legitimate applications start with long command lines.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_command_line_filter\"\n }\n ]\n },\n {\n \"name\": \"Unusually Long Command Line - MLTK\",\n \"id\": \"57edaefa-a73b-45e5-bbae-f39c1473f941\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Machine Learning Toolkit (MLTK) to help identify command lines with lengths that are unusual for a given user.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that monitors command lines and populates the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. In addition, MLTK version >= 4.2 must be installed on your search heads, along with any required dependencies. Finally, the support search \\\"Baseline of Command Line Length - MLTK\\\" must be executed before this detection search, as it builds an ML model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename \\\"IsOutlier(processlen)\\\" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`\",\n \"known_false_positives\": \"Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Command-Line Executions\",\n \"Unusual Processes\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"baselines\": [\n {\n \"name\": \"Baseline of Command Line Length - MLTK\",\n \"id\": \"d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies outliers in the length of the command line.\",\n \"how_to_implement\": \"You must be ingesting endpoint data and populating the Endpoint data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search user!=unknown | `security_content_ctime(start_time)`| `security_content_ctime(end_time)`| eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\",\n \"Unusual Processes\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Unusually Long Command Line - MLTK\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"unusually_long_command_line___mltk_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Use of Cleartext Protocols\",\n \"id\": \"826e6431-aeef-41b4-9fc0-6d0985d65a21\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.\",\n \"narrative\": \"Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.monkey.org/~dugsong/dsniff/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Use of Cleartext Protocols\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Best Practices\"\n ],\n \"mitre_attack_id\": [],\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"detections\": [\n {\n \"name\": \"Protocols passing authentication in cleartext\",\n \"id\": \"6923cd64-17a0-453c-b945-81ac2d8c6db9\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search looks for cleartext protocols at risk of leaking credentials. Currently, this consists of legacy protocols such as telnet, POP3, IMAP, and non-anonymous FTP sessions. While some of these protocols can be used over SSL, they typically run on different assigned ports in those cases.\",\n \"how_to_implement\": \"This search requires you to be ingesting your network traffic, and populating the Network_Traffic data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.protocol=\\\"tcp\\\" AND (All_Traffic.dest_port=\\\"23\\\" OR All_Traffic.dest_port=\\\"143\\\" OR All_Traffic.dest_port=\\\"110\\\" OR (All_Traffic.dest_port=\\\"21\\\" AND All_Traffic.user != \\\"anonymous\\\")) groupby All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(\\\"All_Traffic\\\")` | `protocols_passing_authentication_in_cleartext_filter`\",\n \"known_false_positives\": \"Some networks may use kerberized FTP or telnet servers, however, this is rare.\",\n \"tags\": {\n \"analytics_story\": [\n \"Use of Cleartext Protocols\"\n ],\n \"kill_chain_phases\": [\n \"Reconnaissance\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 9\",\n \"CIS 14\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.AE\",\n \"PR.AC\",\n \"PR.DS\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"protocols_passing_authentication_in_cleartext_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Web Fraud Detection\",\n \"id\": \"31337aaa-bc22-4752-b599-ef112dq1dq7a\",\n \"version\": 1,\n \"date\": \"2018-10-08\",\n \"description\": \"Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.\",\n \"narrative\": \"The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\\\\\\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\\\\\\nhen developing a strategy for preventing fraud in your environment, its important to look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\\\\\\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\\\\\\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\\\\\\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.\",\n \"author\": \"Jim Apger, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud\",\n \"https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718\"\n ],\n \"tags\": {\n \"analytics_story\": \"Web Fraud Detection\",\n \"usecase\": \"Fraud Detection\",\n \"category\": [\n \"Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1136\",\n \"T1078\"\n ],\n \"mitre_attack_technique\": [\n \"Valid Accounts\",\n \"Create Account\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"APT41\",\n \"Threat Group-3390\",\n \"Night Dragon\",\n \"FIN10\",\n \"APT18\",\n \"TEMP.Veles\",\n \"APT28\",\n \"FIN8\",\n \"Sandworm Team\",\n \"Silence\",\n \"menuPass\",\n \"Suckfly\",\n \"APT39\",\n \"Carbanak\",\n \"FIN5\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"FIN4\",\n \"no\",\n \"PittyTiger\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Web Fraud - Account Harvesting\",\n \"id\": \"31337aaa-941d-4ada-81ac-q2a17be5bf0d\",\n \"version\": 1,\n \"date\": \"2018-10-08\",\n \"description\": \"This search is used to identify the creation of multiple user accounts using the same email domain name.\",\n \"how_to_implement\": \"We start with a dataset that provides visibility into the email address used for the account creation. In this example, we are narrowing our search down to the single web page that hosts the Magento2 e-commerce platform (via URI) used for account creation, the single http content-type to grab only the user's clicks, and the http field that provides the username (form_data), for performance reasons. After we have the username and email domain, we look for numerous account creations per email domain. Common data sources used for this detection are customized Apache logs or Splunk Stream.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://splunkbase.splunk.com/app/2734/\",\n \"https://splunkbase.splunk.com/app/1809/\"\n ],\n \"author\": \"Jim Apger, Splunk\",\n \"search\": \"`stream_http` http_content_type=text* uri=\\\"/magento2/customer/account/loginPost/\\\" | rex field=cookie \\\"form_key=(?\\\\w+)\\\" | rex field=form_data \\\"login\\\\[username\\\\]=(?[^&|^$]+)\\\" | search Username=* | rex field=Username \\\"@(?.*)\\\" | stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain | where UniqueUsernames> 25 | `web_fraud___account_harvesting_filter`\",\n \"known_false_positives\": \"As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. This search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device ID that may be present in your dataset. Consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. Extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. You can also use Shannon entropy or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated.\",\n \"tags\": {\n \"analytics_story\": [\n \"Web Fraud Detection\"\n ],\n \"mitre_attack_id\": [\n \"T1136\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"DE.DP\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"Account\",\n \"mitre_attack_technique\": [\n \"Create Account\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"web_fraud___account_harvesting_filter\"\n }\n ]\n },\n {\n \"name\": \"Web Fraud - Anomalous User Clickspeed\",\n \"id\": \"31337bbb-bc22-4752-b599-ef192df2dc7a\",\n \"version\": 1,\n \"date\": \"2018-10-08\",\n \"description\": \"This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.\",\n \"how_to_implement\": \"Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://en.wikipedia.org/wiki/Session_ID\",\n \"https://en.wikipedia.org/wiki/Session_(computer_science)\",\n \"https://en.wikipedia.org/wiki/HTTP_cookie\",\n \"https://splunkbase.splunk.com/app/1809/\"\n ],\n \"author\": \"Jim Apger, Splunk\",\n \"search\": \"`stream_http` http_content_type=text* | rex field=cookie \\\"form_key=(?\\\\w+)\\\" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter`\",\n \"known_false_positives\": \"As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Web Fraud Detection\"\n ],\n \"mitre_attack_id\": [\n \"T1078\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\"\n ],\n \"nist\": [\n \"DE.AE\",\n \"DE.CM\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"account\",\n \"mitre_attack_technique\": [\n \"Valid Accounts\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\",\n \"Persistence\",\n \"Privilege Escalation\",\n \"Initial Access\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Soft Cell\",\n \"TEMP.Veles\",\n \"APT39\",\n \"FIN4\",\n \"Night Dragon\",\n \"Dragonfly 2.0\",\n \"FIN8\",\n \"Leviathan\",\n \"APT33\",\n \"OilRig\",\n \"FIN5\",\n \"menuPass\",\n \"APT28\",\n \"FIN10\",\n \"Suckfly\",\n \"FIN6\",\n \"Threat Group-3390\",\n \"APT18\",\n \"PittyTiger\",\n \"Carbanak\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"web_fraud___anomalous_user_clickspeed_filter\"\n }\n ]\n },\n {\n \"name\": \"Web Fraud - Password Sharing Across Accounts\",\n \"id\": \"31337a1a-53b9-4e05-96e9-55c934cb71d3\",\n \"version\": 1,\n \"date\": \"2018-10-08\",\n \"description\": \"This search is used to identify user accounts that share a common password.\",\n \"how_to_implement\": \"We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://en.wikipedia.org/wiki/Session_ID\",\n \"https://en.wikipedia.org/wiki/Session_(computer_science)\",\n \"https://en.wikipedia.org/wiki/HTTP_cookie\",\n \"https://splunkbase.splunk.com/app/1809/\"\n ],\n \"author\": \"Jim Apger, Splunk\",\n \"search\": \"`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data \\\"login\\\\[username\\\\]=(?[^&|^$]+)\\\" | rex field=form_data \\\"login\\\\[password\\\\]=(?[^&|^$]+)\\\" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter`\",\n \"known_false_positives\": \"As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior.\",\n \"tags\": {\n \"analytics_story\": [\n \"Web Fraud Detection\"\n ],\n \"cis20\": [\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.DP\"\n ],\n \"security_domain\": \"threat\",\n \"asset_type\": \"account\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"web_fraud___password_sharing_across_accounts_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Windows Defense Evasion Tactics\",\n \"id\": \"56e24a28-5003-4047-b2db-e8f3c4618064\",\n \"version\": 1,\n \"date\": \"2018-05-31\",\n \"description\": \"Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others \",\n \"narrative\": \"Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/wiki/Defense_Evasion\"\n ],\n \"tags\": {\n \"analytics_story\": \"Windows Defense Evasion Tactics\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1222.001\",\n \"T1112\"\n ],\n \"mitre_attack_technique\": [\n \"Modify Registry\",\n \"Windows File and Directory Permissions Modification\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT32\",\n \"Dragonfly 2.0\",\n \"Patchwork\",\n \"Turla\",\n \"Gorgon Group\",\n \"Wizard Spider\",\n \"Gamaredon Group\",\n \"APT41\",\n \"Honeybee\",\n \"FIN8\",\n \"APT38\",\n \"Threat Group-3390\",\n \"no\",\n \"Silence\",\n \"APT19\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Disabling Remote User Account Control\",\n \"id\": \"bbc644bc-37df-4e1a-9c88-ec9a53e2038c\",\n \"version\": 3,\n \"date\": \"2020-03-02\",\n \"description\": \"The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=\\\"*Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\LocalAccountTokenFilterPolicy\\\" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`\",\n \"known_false_positives\": \"This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1112\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Modify Registry\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Turla\",\n \"APT32\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Honeybee\",\n \"Patchwork\",\n \"Gorgon Group\",\n \"FIN8\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"disabling_remote_user_account_control_filter\"\n }\n ]\n },\n {\n \"name\": \"Hiding Files And Directories With Attrib exe\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6b5264g9f\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `hiding_files_and_directories_with_attrib_exe_filter` \",\n \"known_false_positives\": \"Some applications and users may legitimately use attrib.exe to interact with the files. \",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1222.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [\n \"Windows File and Directory Permissions Modification\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"hiding_files_and_directories_with_attrib_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Reg exe used to hide files directories via registry keys\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6b5264x9f\",\n \"version\": 2,\n \"date\": \"2019-02-27\",\n \"description\": \"The search looks for command-line arguments used to hide a file or directory using the reg add command.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process=\\\"*add*\\\" Processes.process=\\\"*Hidden*\\\" Processes.process=\\\"*REG_DWORD*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = \\\"(/d\\\\s+2)\\\" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`\",\n \"known_false_positives\": \"None at the moment\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"reg_exe_used_to_hide_files_directories_via_registry_keys_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Registry Key modifications\",\n \"id\": \"c9f4b923-f8af-4155-b697-1354f5dcbc5e\",\n \"version\": 3,\n \"date\": \"2020-03-02\",\n \"description\": \"This search monitors for remote modifications to registry keys.\",\n \"how_to_implement\": \"To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=\\\"\\\\\\\\\\\\\\\\*\\\" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`\",\n \"known_false_positives\": \"This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_registry_key_modifications_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Reg exe Process\",\n \"id\": \"a6b3ab4e-dd77-4213-95fa-fc94701995e0\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for reg.exe being launched from a command prompt not started by the user. When a user launches cmd.exe, the parent process is usually explorer.exe. This search filters out those instances.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://car.mitre.org/wiki/CAR-2013-03-001\"\n ],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter` \",\n \"known_false_positives\": \"It's possible for system administrators to write scripts that exhibit this behavior. If this is the case, the search will need to be modified to filter them out.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Disabling Security Tools\",\n \"DHS Report TA18-074A\"\n ],\n \"mitre_attack_id\": [\n \"T1112\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Modify Registry\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"Wizard Spider\",\n \"Silence\",\n \"APT41\",\n \"Turla\",\n \"APT32\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT19\",\n \"Threat Group-3390\",\n \"Honeybee\",\n \"Patchwork\",\n \"Gorgon Group\",\n \"FIN8\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_reg_exe_process_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Windows DNS SIGRed CVE-2020-1350\",\n \"id\": \"36dbb206-d073-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-07-28\",\n \"description\": \"Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.\",\n \"narrative\": \"When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).\",\n \"author\": \"Shannon Davis, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\",\n \"https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability\"\n ],\n \"tags\": {\n \"analytics_story\": \"Windows DNS SIGRed CVE-2020-1350\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1203\"\n ],\n \"mitre_attack_technique\": [\n \"Exploitation for Client Execution\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Lazarus Group\",\n \"APT41\",\n \"BRONZE BUTLER\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"TA459\",\n \"Cobalt Group\",\n \"APT32\",\n \"Tropic Trooper\",\n \"Patchwork\",\n \"APT28\",\n \"BlackTech\",\n \"Sandworm Team\",\n \"APT29\",\n \"APT37\",\n \"admin@338\",\n \"Inception\",\n \"The White Company\",\n \"Elderwood\",\n \"Leviathan\",\n \"APT12\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect Windows DNS SIGRed via Splunk Stream\",\n \"id\": \"babd8d10-d073-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-07-28\",\n \"description\": \"This search detects SIGRed via Splunk Stream.\",\n \"how_to_implement\": \"You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\"\n ],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"`stream_dns` | spath \\\"query_type{}\\\" | search \\\"query_type{}\\\" IN (SIG,KEY) | spath protocol_stack | search protocol_stack=\\\"ip:tcp:dns\\\" | append [search `stream_tcp` bytes_out>65000] | `detect_windows_dns_sigred_via_splunk_stream_filter` | stats count by flow_id | where count>1 | fields - count\",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows DNS SIGRed CVE-2020-1350\"\n ],\n \"mitre_attack_id\": [\n \"T1203\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 12\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"network\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exploitation for Client Execution\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"MuddyWater\",\n \"Frankenstein\",\n \"Inception\",\n \"BlackTech\",\n \"APT41\",\n \"admin@338\",\n \"Threat Group-3390\",\n \"APT12\",\n \"The White Company\",\n \"APT33\",\n \"APT32\",\n \"APT28\",\n \"Tropic Trooper\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"Cobalt Group\",\n \"APT37\",\n \"Patchwork\",\n \"Leviathan\",\n \"Elderwood\",\n \"TA459\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"sourcetype=stream:tcp\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_tcp\"\n },\n {\n \"definition\": \"sourcetype=stream:dns\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_dns\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_windows_dns_sigred_via_splunk_stream_filter\"\n }\n ]\n },\n {\n \"name\": \"Detect Windows DNS SIGRed via Zeek\",\n \"id\": \"c5c622e4-d073-11ea-87d0-0242ac130003\",\n \"version\": 1,\n \"date\": \"2020-07-28\",\n \"description\": \"This search detects SIGRed via Zeek DNS and Zeek Conn data.\",\n \"how_to_implement\": \"You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\"\n ],\n \"author\": \"Shannon Davis, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count \",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows DNS SIGRed CVE-2020-1350\"\n ],\n \"mitre_attack_id\": [\n \"T1203\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 16\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exploitation for Client Execution\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"MuddyWater\",\n \"Frankenstein\",\n \"Inception\",\n \"BlackTech\",\n \"APT41\",\n \"admin@338\",\n \"Threat Group-3390\",\n \"APT12\",\n \"The White Company\",\n \"APT33\",\n \"APT32\",\n \"APT28\",\n \"Tropic Trooper\",\n \"Lazarus Group\",\n \"BRONZE BUTLER\",\n \"Cobalt Group\",\n \"APT37\",\n \"Patchwork\",\n \"Leviathan\",\n \"Elderwood\",\n \"TA459\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_windows_dns_sigred_via_zeek_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Windows File Extension and Association Abuse\",\n \"id\": \"30552a76-ac78-48e4-b3c0-de4e34e9563d\",\n \"version\": 1,\n \"date\": \"2018-01-26\",\n \"description\": \"Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.\",\n \"narrative\": \"Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications. \\\\\\n Since its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe. \\\\\\n Attackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \\\"hide extensions for known file types.\\\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\\\\\\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\\\\\\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/\",\n \"https://attack.mitre.org/wiki/Technique/T1042\"\n ],\n \"tags\": {\n \"analytics_story\": \"Windows File Extension and Association Abuse\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1546.001\",\n \"T1036\"\n ],\n \"mitre_attack_technique\": [\n \"Masquerading\",\n \"Change Default File Association\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"Kimsuky\",\n \"Dragonfly 2.0\",\n \"BRONZE BUTLER\",\n \"Windshift\",\n \"menuPass\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Execution of File with Multiple Extensions\",\n \"id\": \"b06a555e-dce0-417d-a2eb-28a5d8d66ef7\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the \\\"real\\\" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = *.doc.exe OR Processes.process = *.htm.exe OR Processes.process = *.html.exe OR Processes.process = *.txt.exe OR Processes.process = *.pdf.exe OR Processes.process = *.doc.exe by Processes.dest Processes.user Processes.process Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows File Extension and Association Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"PR.PT\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"execution_of_file_with_multiple_extensions_filter\"\n }\n ]\n },\n {\n \"name\": \"Execution of File With Spaces Before Extension\",\n \"id\": \"ab0353e6-a956-420b-b724-a8b4846d5d5a\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = \\\"* .*\\\" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`\",\n \"known_false_positives\": \"None identified.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows File Extension and Association Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1036\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"PR.PT\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Masquerading\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"Windshift\",\n \"APT32\",\n \"BRONZE BUTLER\",\n \"menuPass\",\n \"Dragonfly 2.0\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"execution_of_file_with_spaces_before_extension_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious Changes to File Associations\",\n \"id\": \"1b989a0e-0129-4446-a695-f193a5b746fc\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.\",\n \"how_to_implement\": \"To successfully implement this search you need to be ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` nodes.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [| tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\\\\\\\Explorer\\\\\\\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name(\\\"Registry\\\")` | table process_id dest registry_path]| `suspicious_changes_to_file_associations_filter` \",\n \"known_false_positives\": \"There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Windows File Extension and Association Abuse\"\n ],\n \"mitre_attack_id\": [\n \"T1546.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"PR.PT\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Change Default File Association\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"Kimsuky\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_changes_to_file_associations_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Windows Log Manipulation\",\n \"id\": \"b6db2c60-a281-48b4-95f1-2cd99ed56835\",\n \"version\": 2,\n \"date\": \"2017-09-12\",\n \"description\": \"Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.\",\n \"narrative\": \"Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\\\\\\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\",\n \"https://zeltser.com/security-incident-log-review-checklist/\",\n \"http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html\"\n ],\n \"tags\": {\n \"analytics_story\": \"Windows Log Manipulation\",\n \"usecase\": \"Security Monitoring\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1485\",\n \"T1070.001\",\n \"T1070\"\n ],\n \"mitre_attack_technique\": [\n \"Data Destruction\",\n \"Clear Windows Event Logs\",\n \"Indicator Removal on Host\"\n ],\n \"mitre_attack_tactics\": [\n \"Impact\",\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"APT32\",\n \"Dragonfly 2.0\",\n \"APT28\",\n \"Lazarus Group\",\n \"FIN5\",\n \"APT41\",\n \"FIN8\",\n \"APT38\",\n \"Sandworm Team\",\n \"no\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Deleting Shadow Copies\",\n \"id\": \"b89919ed-ee5f-492c-b139-95dbb162039e\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*delete* AND process=*shadow* | `deleting_shadow_copies_filter`\",\n \"known_false_positives\": \"vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"SamSam Ransomware\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1485\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 10\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Data Destruction\"\n ],\n \"mitre_attack_tactics\": [\n \"Impact\"\n ],\n \"mitre_attack_groups\": [\n \"Sandworm Team\",\n \"Lazarus Group\",\n \"APT38\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"deleting_shadow_copies_filter\"\n }\n ]\n },\n {\n \"name\": \"Suspicious wevtutil Usage\",\n \"id\": \"2827c0fd-e1be-4868-ae25-59d28e0f9d4f\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, or system event logs.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wevtutil.exe Processes.process=\\\"*cl*\\\" (Processes.process=\\\"*System*\\\" OR Processes.process=\\\"*Security*\\\" OR Processes.process=\\\"*Setup*\\\" OR Processes.process=\\\"*Application*\\\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `suspicious_wevtutil_usage_filter`\",\n \"known_false_positives\": \"The wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1070.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 6\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [\n \"Clear Windows Event Logs\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT32\",\n \"FIN8\",\n \"FIN5\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"suspicious_wevtutil_usage_filter\"\n }\n ]\n },\n {\n \"name\": \"USN Journal Deletion\",\n \"id\": \"b6e0ff70-b122-4227-9368-4cf322ab43c3\",\n \"version\": 2,\n \"date\": \"2018-12-03\",\n \"description\": \"The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=\\\"*deletejournal*\\\" AND process=\\\"*usn*\\\" | `usn_journal_deletion_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1070\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 6\",\n \"CIS 8\",\n \"CIS 10\"\n ],\n \"nist\": [\n \"DE.CM\",\n \"PR.PT\",\n \"DE.AE\",\n \"DE.DP\",\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Indicator Removal on Host\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"usn_journal_deletion_filter\"\n }\n ]\n },\n {\n \"name\": \"Windows Event Log Cleared\",\n \"id\": \"ad517544-aff9-4c96-bd99-d6eb43bfbb6a\",\n \"version\": 4,\n \"date\": \"2020-07-06\",\n \"description\": \"This search looks for Windows events that indicate one of the Windows event logs has been purged.\",\n \"how_to_implement\": \"To successfully implement this search, you need to be ingesting Windows event logs from your hosts.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"(`wineventlog_security` (EventCode=1102 OR EventCode=1100)) OR (`wineventlog_system` EventCode=104) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_log_cleared_filter`\",\n \"known_false_positives\": \"It is possible that these logs may be legitimately cleared by Administrators.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Log Manipulation\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1070.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 6\"\n ],\n \"nist\": [\n \"DE.DP\",\n \"PR.IP\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Clear Windows Event Logs\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"APT38\",\n \"Dragonfly 2.0\",\n \"APT32\",\n \"FIN8\",\n \"FIN5\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"definition\": \"eventtype=wineventlog_system\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_system\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"windows_event_log_cleared_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Windows Persistence Techniques\",\n \"id\": \"30874d4f-20a1-488f-85ec-5d52ef74e3f9\",\n \"version\": 2,\n \"date\": \"2018-05-31\",\n \"description\": \"Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.\",\n \"narrative\": \"Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"http://www.fuzzysecurity.com/tutorials/19.html\",\n \"https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html\",\n \"http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/\",\n \"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\",\n \"https://www.youtube.com/watch?v=dq2Hv7J9fvk\"\n ],\n \"tags\": {\n \"analytics_story\": \"Windows Persistence Techniques\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1574.009\",\n \"T1543.003\",\n \"T1547.001\",\n \"T1546.011\",\n \"T1053.005\",\n \"T1222.001\"\n ],\n \"mitre_attack_technique\": [\n \"Scheduled Task\",\n \"Application Shimming\",\n \"Registry Run Keys / Startup Folder\",\n \"Path Interception by Unquoted Path\",\n \"Windows Service\",\n \"Windows File and Directory Permissions Modification\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Defense Evasion\",\n \"Execution\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Putter Panda\",\n \"Dragonfly 2.0\",\n \"Soft Cell\",\n \"FIN7\",\n \"Lazarus Group\",\n \"Gamaredon Group\",\n \"APT41\",\n \"Honeybee\",\n \"BRONZE BUTLER\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"Cobalt Group\",\n \"APT18\",\n \"FIN10\",\n \"Tropic Trooper\",\n \"APT32\",\n \"Patchwork\",\n \"TEMP.Veles\",\n \"Turla\",\n \"Ke3chang\",\n \"no\",\n \"Rancor\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"APT29\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Machete\",\n \"APT-C-36\",\n \"Stealth Falcon\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"Inception\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Carbanak\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"Rocke\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Detect Path Interception By Creation Of program exe\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6v5264g9f\",\n \"version\": 3,\n \"date\": \"2020-07-03\",\n \"description\": \"The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation. \",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae\"\n ],\n \"author\": \"Patrick Bareiss, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process \\\"^.*\\\\\\\\\\\\\\\\(?.*\\\\.(?:exe|bat|com|ps1))\\\" | eval process_name = lower(process_name) | eval service_process = lower(service_process)| where process_name != service_process | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`\",\n \"known_false_positives\": \"unknown\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1574.009\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Path Interception by Unquoted Path\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\",\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"detect_path_interception_by_creation_of_program_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Hiding Files And Directories With Attrib exe\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6b5264g9f\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`| `hiding_files_and_directories_with_attrib_exe_filter` \",\n \"known_false_positives\": \"Some applications and users may legitimately use attrib.exe to interact with the files. \",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1222.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [\n \"Windows File and Directory Permissions Modification\"\n ],\n \"mitre_attack_tactics\": [\n \"Defense Evasion\"\n ],\n \"mitre_attack_groups\": [\n \"no\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"hiding_files_and_directories_with_attrib_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Monitor Registry Keys for Print Monitors\",\n \"id\": \"f5f6af30-7ba7-4295-bfe9-07de87c01bbc\",\n \"version\": 1,\n \"date\": \"2018-11-02\",\n \"description\": \"This search looks for registry activity associated with modifications to the registry key `HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.action=modified AND Registry.registry_path=\\\"*CurrentControlSet\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors*\\\" by Registry.dest, Registry.registry_key_name Registry.status Registry.user Registry.registry_path Registry.action | `drop_dm_object_name(Registry)` | `monitor_registry_keys_for_print_monitors_filter`\",\n \"known_false_positives\": \"You will encounter noise from legitimate print-monitor registry entries.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\",\n \"CIS 5\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"PR.AC\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"monitor_registry_keys_for_print_monitors_filter\"\n }\n ]\n },\n {\n \"name\": \"Reg exe Manipulating Windows Services Registry Keys\",\n \"id\": \"8470d755-0c13-45b3-bd63-387a373c10cf\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for reg.exe modifying registry keys that define Windows services and their configurations.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`\",\n \"known_false_positives\": \"It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"reg_exe_manipulating_windows_services_registry_keys_filter\"\n }\n ]\n },\n {\n \"name\": \"Reg exe used to hide files directories via registry keys\",\n \"id\": \"c77162d3-f93c-45cc-80c8-22f6b5264x9f\",\n \"version\": 2,\n \"date\": \"2019-02-27\",\n \"description\": \"The search looks for command-line arguments used to hide a file or directory using the reg add command.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process=\\\"*add*\\\" Processes.process=\\\"*Hidden*\\\" Processes.process=\\\"*REG_DWORD*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`| regex process = \\\"(/d\\\\s+2)\\\" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`\",\n \"known_false_positives\": \"None at the moment\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"reg_exe_used_to_hide_files_directories_via_registry_keys_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys for Creating SHIM Databases\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01bbb\",\n \"version\": 2,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.\",\n \"how_to_implement\": \"To successfully implement this search, you must populate the Change_Analysis data model. This is typically populated via endpoint detection and response products, such as Carbon Black or other endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path=\\\"*CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom*\\\" OR All_Changes.object_path=\\\"*CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\InstalledSDB*\\\") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `drop_dm_object_name(\\\"All_Changes\\\")` | `registry_keys_for_creating_shim_databases_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1546.011\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Application Shimming\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_for_creating_shim_databases_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Persistence\",\n \"id\": \"f5f6af30-7aa7-4295-bfe9-07fe87c01a4b\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for modifications to registry keys that can be used to launch an application or service at system startup.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\\\\\\\run* OR Registry.registry_path=*currentVersion\\\\\\\\Windows\\\\\\\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit* OR Registry.registry_path=*CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet* OR Registry.registry_path=*currentversion\\\\\\\\policies\\\\\\\\explorer\\\\\\\\run* OR Registry.registry_path=*currentversion\\\\\\\\runservices* OR Registry.registry_path=*\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\* OR Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\" OR Registry.registry_path=HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Netsh\\\\\\\\*) by Registry.dest , Registry.status, Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_persistence_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Windows Registry Activities\",\n \"Suspicious MSHTA Activity\",\n \"DHS Report TA18-074A\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Windows Persistence Techniques\",\n \"Emotet Malware DHS Report TA18-201A \"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_persistence_filter\"\n }\n ]\n },\n {\n \"name\": \"Remote Registry Key modifications\",\n \"id\": \"c9f4b923-f8af-4155-b697-1354f5dcbc5e\",\n \"version\": 3,\n \"date\": \"2020-03-02\",\n \"description\": \"This search monitors for remote modifications to registry keys.\",\n \"how_to_implement\": \"To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=\\\"\\\\\\\\\\\\\\\\*\\\" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`\",\n \"known_false_positives\": \"This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Defense Evasion Tactics\",\n \"Suspicious Windows Registry Activities\",\n \"Windows Persistence Techniques\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [],\n \"mitre_attack_tactics\": [],\n \"mitre_attack_groups\": []\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"remote_registry_key_modifications_filter\"\n }\n ]\n },\n {\n \"name\": \"Sc exe Manipulating Windows Services\",\n \"id\": \"f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\\\"* create *\\\" OR Processes.process=\\\"* config *\\\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`\",\n \"known_false_positives\": \"Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"DHS Report TA18-074A\",\n \"Orangeworm Attack Group\",\n \"Windows Persistence Techniques\",\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1543.003\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"DarkVishnya\",\n \"Wizard Spider\",\n \"APT32\",\n \"APT41\",\n \"Kimsuky\",\n \"Tropic Trooper\",\n \"Cobalt Group\",\n \"Ke3chang\",\n \"Honeybee\",\n \"FIN7\",\n \"Threat Group-3390\",\n \"APT19\",\n \"APT3\",\n \"Lazarus Group\",\n \"Carbanak\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"sc_exe_manipulating_windows_services_filter\"\n }\n ]\n },\n {\n \"name\": \"Schtasks used for forcing a reboot\",\n \"id\": \"1297fb80-f42a-4b4a-9c8a-88c066437cf6\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for flags passed to schtasks.exe on the command-line that indicate that a forced reboot of system is scheduled.\",\n \"how_to_implement\": \"To successfully implement this search you need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = schtasks.exe Processes.process=\\\"*shutdown*\\\" Processes.process=\\\"*/r*\\\" Processes.process=\\\"*/f*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_used_for_forcing_a_reboot_filter`\",\n \"known_false_positives\": \"Administrators may create jobs on systems forcing reboots to perform updates, maintenance, etc.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Persistence Techniques\",\n \"Ransomware\"\n ],\n \"mitre_attack_id\": [\n \"T1053.005\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 3\"\n ],\n \"nist\": [\n \"PR.IP\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Scheduled Task\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\",\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Gamaredon Group\",\n \"Blue Mockingbird\",\n \"MuddyWater\",\n \"Wizard Spider\",\n \"Frankenstein\",\n \"APT-C-36\",\n \"BRONZE BUTLER\",\n \"APT41\",\n \"Machete\",\n \"Soft Cell\",\n \"Silence\",\n \"TEMP.Veles\",\n \"APT33\",\n \"APT39\",\n \"Dragonfly 2.0\",\n \"Patchwork\",\n \"OilRig\",\n \"Rancor\",\n \"Cobalt Group\",\n \"FIN8\",\n \"menuPass\",\n \"FIN10\",\n \"APT32\",\n \"FIN7\",\n \"Stealth Falcon\",\n \"FIN6\",\n \"APT3\",\n \"APT29\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"schtasks_used_for_forcing_a_reboot_filter\"\n }\n ]\n },\n {\n \"name\": \"Shim Database File Creation\",\n \"id\": \"6e4c4588-ba2f-42fa-97e6-9f6f548eaa33\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.\",\n \"how_to_implement\": \"You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\\\AppPatch\\\\Custom* by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `shim_database_file_creation_filter`\",\n \"known_false_positives\": \"Because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. However, if there are other correlating events, it may warrant further investigation.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1546.011\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Application Shimming\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"shim_database_file_creation_filter\"\n }\n ]\n },\n {\n \"name\": \"Shim Database Installation With Suspicious Parameters\",\n \"id\": \"404620de-46d8-48b6-90cc-8a8d7b0876a3\",\n \"version\": 3,\n \"date\": \"2020-07-22\",\n \"description\": \"This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe Processes.process=\\\"*-p*\\\" Processes.process=\\\"*-q*\\\" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`\",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1546.011\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Application Shimming\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"FIN7\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"shim_database_installation_with_suspicious_parameters_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Windows Privilege Escalation\",\n \"id\": \"644e22d3-598a-429c-a007-16fdb802cae5\",\n \"version\": 2,\n \"date\": \"2020-02-04\",\n \"description\": \"Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.\",\n \"narrative\": \"Privilege escalation is a \\\"land-and-expand\\\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.\",\n \"author\": \"David Dorsey, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/tactics/TA0004/\"\n ],\n \"tags\": {\n \"analytics_story\": \"Windows Privilege Escalation\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Adversary Tactics\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\",\n \"T1068\",\n \"T1204.002\",\n \"T1546.008\"\n ],\n \"mitre_attack_technique\": [\n \"Malicious File\",\n \"Registry Run Keys / Startup Folder\",\n \"Accessibility Features\",\n \"Exploitation for Privilege Escalation\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Execution\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Putter Panda\",\n \"Dragonfly 2.0\",\n \"TA505\",\n \"FIN7\",\n \"Lazarus Group\",\n \"APT41\",\n \"Gamaredon Group\",\n \"Honeybee\",\n \"BRONZE BUTLER\",\n \"Naikon\",\n \"Frankenstein\",\n \"Threat Group-3390\",\n \"DarkHydrus\",\n \"Cobalt Group\",\n \"TA459\",\n \"APT18\",\n \"FIN10\",\n \"APT32\",\n \"Tropic Trooper\",\n \"Patchwork\",\n \"APT28\",\n \"Deep Panda\",\n \"Turla\",\n \"Ke3chang\",\n \"Rancor\",\n \"Whitefly\",\n \"RTM\",\n \"Sharpshooter\",\n \"FIN8\",\n \"APT29\",\n \"Sandworm Team\",\n \"Gallmaker\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"menuPass\",\n \"APT-C-36\",\n \"Machete\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"admin@338\",\n \"Inception\",\n \"PLATINUM\",\n \"Windshift\",\n \"APT12\",\n \"The White Company\",\n \"Elderwood\",\n \"Kimsuky\",\n \"Axiom\",\n \"Dark Caracal\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"Mofang\",\n \"Leviathan\",\n \"OilRig\",\n \"FIN6\",\n \"FIN4\",\n \"BlackTech\",\n \"Rocke\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"Child Processes of Spoolsv exe\",\n \"id\": \"aa0c4aeb-5b18-41c4-8c07-f1442d7599df\",\n \"version\": 3,\n \"date\": \"2020-03-16\",\n \"description\": \"This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. Update the `children_of_spoolsv_filter` macro to filter out legitimate child processes spawned by spoolsv.exe.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter` \",\n \"known_false_positives\": \"Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Privilege Escalation\"\n ],\n \"mitre_attack_id\": [\n \"T1068\"\n ],\n \"kill_chain_phases\": [\n \"Exploitation\"\n ],\n \"cis20\": [\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.AC\",\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Exploitation for Privilege Escalation\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Whitefly\",\n \"APT33\",\n \"Cobalt Group\",\n \"PLATINUM\",\n \"FIN8\",\n \"APT32\",\n \"Threat Group-3390\",\n \"FIN6\",\n \"APT28\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"child_processes_of_spoolsv_exe_filter\"\n }\n ]\n },\n {\n \"name\": \"Overwriting Accessibility Binaries\",\n \"id\": \"13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries.\",\n \"how_to_implement\": \"You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sethc.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\utilman.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\osk.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Magnify.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Narrator.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DisplaySwitch.exe* OR Filesystem.file_path=*\\\\\\\\Windows\\\\\\\\System32\\\\\\\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`\",\n \"known_false_positives\": \"Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Privilege Escalation\"\n ],\n \"mitre_attack_id\": [\n \"T1546.008\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Accessibility Features\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"APT41\",\n \"APT3\",\n \"APT29\",\n \"Deep Panda\",\n \"Axiom\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"overwriting_accessibility_binaries_filter\"\n }\n ]\n },\n {\n \"name\": \"Registry Keys Used For Privilege Escalation\",\n \"id\": \"c9f4b923-f8af-4155-b697-1354f5bcbc5e\",\n \"version\": 3,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under \\\"Image File Execution Options\\\" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/\"\n ],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=\\\"*Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options*\\\") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) by Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_privilege_escalation_filter`\",\n \"known_false_positives\": \"There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Privilege Escalation\",\n \"Suspicious Windows Registry Activities\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.PT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"registry_keys_used_for_privilege_escalation_filter\"\n }\n ]\n },\n {\n \"name\": \"Uncommon Processes On Endpoint\",\n \"id\": \"29ccce64-a10c-4389-a45f-337cb29ba1f7\",\n \"version\": 4,\n \"date\": \"2020-07-22\",\n \"description\": \"This search looks for applications on the endpoint that you have marked as uncommon.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model. This search uses a lookup file `uncommon_processes_default.csv` to track various features of process names that are usually uncommon in most environments. Please consider updating `uncommon_processes_local.csv` to hunt for processes that are uncommon in your environment.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter` \",\n \"known_false_positives\": \"None identified\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Privilege Escalation\",\n \"Unusual Processes\"\n ],\n \"mitre_attack_id\": [\n \"T1204.002\"\n ],\n \"kill_chain_phases\": [\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Malicious File\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Magic Hound\",\n \"Windshift\",\n \"APT33\",\n \"Sandworm Team\",\n \"Naikon\",\n \"Whitefly\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Wizard Spider\",\n \"Mofang\",\n \"Frankenstein\",\n \"RTM\",\n \"Inception\",\n \"BlackTech\",\n \"APT-C-36\",\n \"Machete\",\n \"admin@338\",\n \"APT12\",\n \"TA505\",\n \"Silence\",\n \"The White Company\",\n \"APT39\",\n \"FIN4\",\n \"Darkhotel\",\n \"Gallmaker\",\n \"APT19\",\n \"Dragonfly 2.0\",\n \"BRONZE BUTLER\",\n \"Cobalt Group\",\n \"DarkHydrus\",\n \"Gorgon Group\",\n \"Patchwork\",\n \"OilRig\",\n \"Dark Caracal\",\n \"MuddyWater\",\n \"Lazarus Group\",\n \"FIN7\",\n \"APT32\",\n \"Rancor\",\n \"APT37\",\n \"FIN8\",\n \"APT28\",\n \"Elderwood\",\n \"TA459\",\n \"APT29\",\n \"Leviathan\",\n \"menuPass\",\n \"PLATINUM\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true\",\n \"description\": \"This macro limits the output to processes that have been marked as uncommon\",\n \"name\": \"uncommon_processes\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"uncommon_processes_on_endpoint_filter\"\n }\n ]\n }\n ]\n },\n {\n \"name\": \"Windows Service Abuse\",\n \"id\": \"6dbd810e-f66d-414b-8dfc-e46de55cbfe2\",\n \"version\": 3,\n \"date\": \"2017-11-02\",\n \"description\": \"Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.\",\n \"narrative\": \"The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"type\": \"ESCU\",\n \"references\": [\n \"https://attack.mitre.org/wiki/Technique/T1050\",\n \"https://attack.mitre.org/wiki/Technique/T1031\"\n ],\n \"tags\": {\n \"analytics_story\": \"Windows Service Abuse\",\n \"usecase\": \"Advanced Threat Detection\",\n \"category\": [\n \"Malware\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\",\n \"T1543.003\",\n \"T1569.002\"\n ],\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\",\n \"Windows Service\",\n \"Service Execution\"\n ],\n \"mitre_attack_tactics\": [\n \"Privilege Escalation\",\n \"Execution\",\n \"Persistence\"\n ],\n \"mitre_attack_groups\": [\n \"MuddyWater\",\n \"Putter Panda\",\n \"Dragonfly 2.0\",\n \"FIN7\",\n \"Lazarus Group\",\n \"APT41\",\n \"Gamaredon Group\",\n \"Honeybee\",\n \"BRONZE BUTLER\",\n \"Threat Group-3390\",\n \"Cobalt Group\",\n \"APT18\",\n \"FIN10\",\n \"APT32\",\n \"Tropic Trooper\",\n \"Patchwork\",\n \"Turla\",\n \"Ke3chang\",\n \"RTM\",\n \"Sharpshooter\",\n \"APT29\",\n \"Silence\",\n \"Molerats\",\n \"APT19\",\n \"APT37\",\n \"DarkVishnya\",\n \"Blue Mockingbird\",\n \"Machete\",\n \"APT39\",\n \"Gorgon Group\",\n \"Magic Hound\",\n \"Inception\",\n \"Kimsuky\",\n \"Dark Caracal\",\n \"Carbanak\",\n \"APT3\",\n \"Darkhotel\",\n \"Wizard Spider\",\n \"Leviathan\",\n \"FIN6\",\n \"Rocke\",\n \"APT33\"\n ]\n },\n \"detections\": [\n {\n \"name\": \"First Time Seen Running Windows Service\",\n \"id\": \"823136f2-d755-4b6d-ae04-372b486a5808\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_service_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), \\\"`previously_seen_windows_service_window`\\\") | table _time dest service | `first_time_seen_running_windows_service_filter`\",\n \"known_false_positives\": \"A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"Orangeworm Attack Group\"\n ],\n \"mitre_attack_id\": [\n \"T1569.002\"\n ],\n \"kill_chain_phases\": [\n \"Installation\",\n \"Actions on Objectives\"\n ],\n \"cis20\": [\n \"CIS 2\",\n \"CIS 9\"\n ],\n \"nist\": [\n \"ID.AM\",\n \"PR.DS\",\n \"PR.AC\",\n \"DE.AE\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Service Execution\"\n ],\n \"mitre_attack_tactics\": [\n \"Execution\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"APT39\",\n \"APT41\",\n \"Silence\",\n \"FIN6\",\n \"APT32\",\n \"Honeybee\",\n \"Ke3chang\"\n ]\n },\n \"baselines\": [\n {\n \"name\": \"Previously Seen Running Windows Services - Initial\",\n \"id\": \"64ce0ade-cb01-4678-bddd-d31c0b175394\",\n \"version\": 3,\n \"date\": \"2020-06-23\",\n \"description\": \"This collects the services that have been started across your entire enterprise.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | outputlookup previously_seen_running_windows_services\",\n \"tags\": {\n \"analytics_story\": [\n \"Orangeworm Attack Group\",\n \"Windows Service Abuse\"\n ],\n \"detections\": [\n \"First Time Seen Running Windows Service\"\n ],\n \"deployments\": [\n \"90 Day Baseline\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Running Windows Services - Update\",\n \"id\": \"2e3bdd68-1863-46ee-81f8-87273eee7f1c\",\n \"version\": 3,\n \"date\": \"2020-06-23\",\n \"description\": \"This search returns the first and last time a Windows service was seen across your enterprise within the last hour. It then updates this information with historical data and filters out Windows services pairs that have not been seen within the specified time window. This updated table is then cached.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | inputlookup previously_seen_running_windows_services append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen by service | where lastTimeSeen > relative_time(now(), \\\"`previously_seen_windows_service_forget_window`\\\") | outputlookup previously_seen_running_windows_services\",\n \"tags\": {\n \"analytics_story\": [\n \"Orangeworm Attack Group\",\n \"Windows Service Abuse\"\n ],\n \"detections\": [\n \"First Time Seen Running Windows Service\"\n ],\n \"deployments\": [\n \"Hourly Cache Updates\"\n ]\n }\n }\n ],\n \"macros\": [\n {\n \"definition\": \"eventtype=wineventlog_system\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_system\"\n },\n {\n \"description\": \"Use this macro to determine how far back you should be checking for new Windows services\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_windows_service_window\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"first_time_seen_running_windows_service_filter\"\n }\n ]\n },\n {\n \"name\": \"Reg exe Manipulating Windows Services Registry Keys\",\n \"id\": \"8470d755-0c13-45b3-bd63-387a373c10cf\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"The search looks for reg.exe modifying registry keys that define Windows services and their configurations.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name(\\\"Processes\\\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`\",\n \"known_false_positives\": \"It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"Windows Persistence Techniques\"\n ],\n \"mitre_attack_id\": [\n \"T1547.001\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Registry Run Keys / Startup Folder\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Rocke\",\n \"Tropic Trooper\",\n \"Gamaredon Group\",\n \"Sharpshooter\",\n \"Molerats\",\n \"Silence\",\n \"RTM\",\n \"Inception\",\n \"APT41\",\n \"Machete\",\n \"Kimsuky\",\n \"APT33\",\n \"APT39\",\n \"APT32\",\n \"APT18\",\n \"Turla\",\n \"Dark Caracal\",\n \"Cobalt Group\",\n \"Honeybee\",\n \"Threat Group-3390\",\n \"Dragonfly 2.0\",\n \"Gorgon Group\",\n \"Ke3chang\",\n \"APT19\",\n \"Leviathan\",\n \"MuddyWater\",\n \"APT37\",\n \"BRONZE BUTLER\",\n \"Magic Hound\",\n \"APT3\",\n \"FIN10\",\n \"FIN7\",\n \"Patchwork\",\n \"FIN6\",\n \"Lazarus Group\",\n \"Putter Panda\",\n \"APT29\",\n \"Darkhotel\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"reg_exe_manipulating_windows_services_registry_keys_filter\"\n }\n ]\n },\n {\n \"name\": \"Sc exe Manipulating Windows Services\",\n \"id\": \"f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d\",\n \"version\": 4,\n \"date\": \"2020-07-21\",\n \"description\": \"This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.\",\n \"type\": \"ESCU\",\n \"references\": [],\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process=\\\"* create *\\\" OR Processes.process=\\\"* config *\\\") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`\",\n \"known_false_positives\": \"Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.\",\n \"tags\": {\n \"analytics_story\": [\n \"Windows Service Abuse\",\n \"DHS Report TA18-074A\",\n \"Orangeworm Attack Group\",\n \"Windows Persistence Techniques\",\n \"Disabling Security Tools\"\n ],\n \"mitre_attack_id\": [\n \"T1543.003\"\n ],\n \"kill_chain_phases\": [\n \"Installation\"\n ],\n \"cis20\": [\n \"CIS 3\",\n \"CIS 5\",\n \"CIS 8\"\n ],\n \"nist\": [\n \"PR.IP\",\n \"PR.PT\",\n \"PR.AC\",\n \"PR.AT\",\n \"DE.CM\"\n ],\n \"security_domain\": \"endpoint\",\n \"asset_type\": \"Endpoint\",\n \"mitre_attack_technique\": [\n \"Windows Service\"\n ],\n \"mitre_attack_tactics\": [\n \"Persistence\",\n \"Privilege Escalation\"\n ],\n \"mitre_attack_groups\": [\n \"Blue Mockingbird\",\n \"DarkVishnya\",\n \"Wizard Spider\",\n \"APT32\",\n \"APT41\",\n \"Kimsuky\",\n \"Tropic Trooper\",\n \"Cobalt Group\",\n \"Ke3chang\",\n \"Honeybee\",\n \"FIN7\",\n \"Threat Group-3390\",\n \"APT19\",\n \"APT3\",\n \"Lazarus Group\",\n \"Carbanak\"\n ]\n },\n \"macros\": [\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Update this macro to limit the output results to filter out false positives. \",\n \"name\": \"sc_exe_manipulating_windows_services_filter\"\n }\n ]\n }\n ]\n }\n ],\n \"count\": 75\n}"}],"_postman_id":"1bb3ff54-6ad9-40cd-b9ce-869308a12fd6"}],"id":"309c583a-ebc3-4617-8740-70f2b5e8342e","description":"

analystic stories endpoint

\n","event":[{"listen":"prerequest","script":{"type":"text/javascript","exec":[""],"id":"db51e0cf-4b26-4be5-bc02-2afc2e64d3d7"}},{"listen":"test","script":{"type":"text/javascript","exec":[""],"id":"92e6132e-1f1e-4c08-949d-6bfe13812777"}}],"_postman_id":"309c583a-ebc3-4617-8740-70f2b5e8342e"},{"name":"baselines","item":[{"name":"/baselines","id":"20271b65-c534-46a5-855b-238051ce786b","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"noauth","isInherited":false},"method":"GET","header":[],"url":"https://content.splunkresearch.com/baselines","description":"

list all baselines

\n","urlObject":{"path":["baselines"],"host":["https://content.splunkresearch.com"],"query":[],"variable":[]}},"response":[{"id":"93161784-5dfd-459a-b9d3-5ec4dd9c25dc","name":"/baselines","originalRequest":{"method":"GET","header":[],"url":"https://content.splunkresearch.com/baselines"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Thu, 05 Nov 2020 08:25:46 GMT"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"54401"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"06c2a377-eebf-4686-a8a4-4c93dde55a56"},{"key":"Access-Control-Allow-Origin","value":"*"},{"key":"Access-Control-Allow-Headers","value":"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"},{"key":"x-amz-apigw-id","value":"VhmJfG2lvHcFV8A="},{"key":"X-Amzn-Trace-Id","value":"Root=1-5fa3b709-6558f01b7908e0f563acc05a;Sampled=0"}],"cookie":[],"responseTime":null,"body":"{\n \"baselines\": [\n {\n \"name\": \"Add Prohibited Processes to Enterprise Security\",\n \"id\": \"251930a5-1451-4428-bb13-eed5775be0ce\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search takes the existing interesting process table from ES, filters out any existing additions added by ESCU and then updates the table with processes identified by ESCU that should be prohibited on your endpoints.\",\n \"how_to_implement\": \"This search should be run on each new install of ESCU.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| inputlookup interesting_processes_lookup | search note!=ESCU* | inputlookup append=T prohibitedProcesses_lookup | fillnull value=* dest dest_pci_domain | fillnull value=false is_required is_secure | fillnull value=true is_prohibited | outputlookup interesting_processes_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Emotet Malware DHS Report TA18-201A \",\n \"Monitor for Unauthorized Software\",\n \"SamSam Ransomware\"\n ],\n \"detections\": [\n \"Prohibited Software On Endpoint\"\n ]\n }\n },\n {\n \"name\": \"Baseline of API Calls per User ARN\",\n \"id\": \"fc0edc96-ff2b-48b0-9f6f-63da3783fd63\",\n \"version\": 1,\n \"date\": \"2018-04-09\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect Spike in AWS API Activity\"\n ]\n }\n },\n {\n \"name\": \"Baseline of blocked outbound traffic from AWS\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63da3782fd63\",\n \"version\": 1,\n \"date\": \"2018-05-07\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of outbound connections blocked in your VPC flow logs by each source IP address (IP address of your EC2 instances). Also recorded is the number of data points for each source IP. This table outputs to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your `VPC flow logs.`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | bucket _time span=1h | stats count as numberOfBlockedConnections by _time, src_ip | stats count(numberOfBlockedConnections) as numDataPoints, latest(numberOfBlockedConnections) as latestCount, avg(numberOfBlockedConnections) as avgBlockedConnections, stdev(numberOfBlockedConnections) as stdevBlockedConnections by src_ip | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\",\n \"Command and Control\",\n \"Suspicious AWS Traffic\"\n ],\n \"detections\": [\n \"Detect Spike in blocked Outbound Traffic from your AWS\"\n ]\n }\n },\n {\n \"name\": \"Baseline of Command Line Length - MLTK\",\n \"id\": \"d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies outliers in the length of the command line.\",\n \"how_to_implement\": \"You must be ingesting endpoint data and populating the Endpoint data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as start_time max(_time) as end_time FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | search user!=unknown | `security_content_ctime(start_time)`| `security_content_ctime(end_time)`| eval processlen=len(process) | fit DensityFunction processlen by user into cmdline_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Ransomware\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\",\n \"Unusual Processes\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Unusually Long Command Line - MLTK\"\n ]\n }\n },\n {\n \"name\": \"Baseline of DNS Query Length - MLTK\",\n \"id\": \"c914844c-0ff5-4efc-8d44-c063443129ba\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed in the environment. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search, which uses it to identify outliers in the length of the DNS query.\",\n \"how_to_implement\": \"To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name(\\\"DNS\\\")` | eval query_length = len(query) | fit DensityFunction query_length by record_type into dns_query_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"Command and Control\",\n \"Hidden Cobra Malware\",\n \"Suspicious DNS Traffic\"\n ],\n \"detections\": [\n \"DNS Query Length Outliers - MLTK\"\n ]\n }\n },\n {\n \"name\": \"Baseline of Excessive AWS Instances Launched by User - MLTK\",\n \"id\": \"fa5634df-fb05-4b4b-aba0-6115138bb1ba\",\n \"version\": 1,\n \"date\": \"2019-11-14\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model for how many RunInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of RunInstances performed by a user in a small time window.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\\\\\\nIn addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\\\\\\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success `ec2_excessive_runinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | fit DensityFunction instances_launched threshold=0.0005 into ec2_excessive_runinstances_v1\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"Abnormally High AWS Instances Launched by User - MLTK\"\n ]\n }\n },\n {\n \"name\": \"Baseline of Excessive AWS Instances Terminated by User - MLTK\",\n \"id\": \"b28ed6de-e4ba-40f7-ae0a-93a088c774ab\",\n \"version\": 1,\n \"date\": \"2019-11-14\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model for how many TerminateInstances users do in the environment. By default, the search uses the last 90 days of data to build the model. The model created by this search is then used in the corresponding detection search, which identifies subsequent outliers in the number of TerminateInstances performed by a user in a small time window.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\\\\\\nIn addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. Depending on the number of users in your environment, you may also need to adjust the value for max_inputs in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data.\\\\\\nMore information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=TerminateInstances errorCode=success `ec2_excessive_terminateinstances_mltk_input_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | fit DensityFunction instances_terminated threshold=0.0005 into ec2_excessive_terminateinstances_v1\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"Abnormally High AWS Instances Terminated by User - MLTK\"\n ]\n }\n },\n {\n \"name\": \"Baseline of Network ACL Activity by ARN\",\n \"id\": \"fc0edd96-ff2b-4810-9f1f-63da3783fd63\",\n \"version\": 1,\n \"date\": \"2018-05-21\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation of the number of API calls that were related to network ACLs made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for network ACLs, edit the macro `network_acl_events`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Network ACL Activity\"\n ],\n \"detections\": [\n \"Detect Spike in Network ACL Activity\"\n ]\n }\n },\n {\n \"name\": \"Baseline of S3 Bucket deletion activity by ARN\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63eq3783fd63\",\n \"version\": 1,\n \"date\": \"2018-07-17\",\n \"description\": \"This search establishes, on a per-hour basis, the average and standard deviation for the number of API calls related to deleting an S3 bucket by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"detections\": [\n \"Detect Spike in S3 Bucket deletion\"\n ]\n }\n },\n {\n \"name\": \"Baseline of Security Group Activity by ARN\",\n \"id\": \"fc0edd96-ff2b-48b0-9f1f-63da3783fd63\",\n \"version\": 1,\n \"date\": \"2018-04-17\",\n \"description\": \"This search establishes, on a per-hour basis, the average and the standard deviation for the number of API calls related to security groups made by each user. Also recorded is the number of data points for each user. This table is then outputted to a lookup file to allow the detection search to operate quickly.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls) as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls, stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect Spike in Security Group Activity\"\n ]\n }\n },\n {\n \"name\": \"Baseline of SMB Traffic - MLTK\",\n \"id\": \"df98763b-0b08-4281-8ef9-08db7ac572a9\",\n \"version\": 1,\n \"date\": \"2019-05-08\",\n \"description\": \"This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of week. By default, the search uses the last 30 days of data to build the model. The model created by this search is then used in the corresponding detection search to identify outliers in the number of SMB connections for that hour and day of the week.\",\n \"how_to_implement\": \"You must be ingesting network traffic and populating the Network_Traffic data model. In addition, you must have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any required dependencies. To improve your results, you may consider adding \\\"src\\\" to the by clause, which will build the model for each unique source in your enviornment. However, if you have a large number of hosts in your environment, this search may be very resource intensive. In this case, you may need to raise the value of max_inputs and/or max_groups in the MLTK settings for the DensityFunction algorithm, then ensure that the search completes in a reasonable timeframe. By default, the search builds the model using the past 30 days of data. You can modify the search window to build the model over a longer period of time, which may give you better results. You may also want to periodically re-run this search to rebuild the model with the latest data. More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, \\\"%H\\\") | eval DayOfWeek=strftime(_time, \\\"%A\\\") | `drop_dm_object_name(\\\"All_Traffic\\\")` | fit DensityFunction count by \\\"HourOfDay,DayOfWeek\\\" into smb_pdfmodel\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Emotet Malware DHS Report TA18-201A \",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Ransomware\"\n ],\n \"detections\": [\n \"Processes launching netsh\",\n \"SMB Traffic Spike - MLTK\"\n ]\n }\n },\n {\n \"name\": \"Count of assets by category\",\n \"id\": \"dcfd6b40-42f9-469d-a433-2e53f7489ff9\",\n \"version\": 1,\n \"date\": \"2017-09-13\",\n \"description\": \"This search shows you every asset category you have and the assets that belong to those categories.\",\n \"how_to_implement\": \"To successfully implement this search you must first leverage the Assets and Identity framework in Enterprise Security to populate your assets_by_str.csv file which should then be mapped to the Identity_Management data model. The Identity_Management data model will contain a list of known authorized company assets. Ensure that all inventoried systems are constantly vetted and updated.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| from datamodel Identity_Management.All_Assets | stats count values(nt_host) by category | sort -count\",\n \"tags\": {\n \"analytics_story\": [\n \"Asset Tracking\"\n ],\n \"detections\": [\n \"Detect Unauthorized Assets by MAC address\"\n ]\n }\n },\n {\n \"name\": \"Count of Unique IPs Connecting to Ports\",\n \"id\": \"9f3bae5a-9fe3-49df-8c84-5edc51d84b7f\",\n \"version\": 1,\n \"date\": \"2017-09-13\",\n \"description\": \"The search counts the number of times a connection was observed to each destination port, and the number of unique source IPs connecting to them.\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting network traffic, and populating the Network_Traffic data model.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count dc(All_Traffic.src) as numberOfUniqueHosts from datamodel=Network_Traffic by All_Traffic.dest_port | `drop_dm_object_name(\\\"All_Traffic\\\")` | sort - count\",\n \"tags\": {}\n },\n {\n \"name\": \"Create a list of approved AWS service accounts\",\n \"id\": \"fc0edc95-ff2b-48b1-5f6f-63ga3789fd43\",\n \"version\": 2,\n \"date\": \"2018-12-03\",\n \"description\": \"This search looks for successful API activity in CloudTrail within the last 30 days, filters out known users from the identity table, and outputs values of users into `aws_service_accounts.csv` lookup file.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the service account entires in `aws_service_accounts.csv`, which is a lookup file created as a result of running this support search. Please remove the entries of service accounts that are not legitimate.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` errorCode=success | rename userName as identity | search NOT [inputlookup identity_lookup_expanded | fields identity] | stats count by identity | table identity | outputlookup aws_service_accounts | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect AWS API Activities From Unapproved Accounts\"\n ]\n }\n },\n {\n \"name\": \"Discover DNS records\",\n \"id\": \"c096f721-8842-42ce-bfc7-74bd8c72b7c3\",\n \"version\": 1,\n \"date\": \"2019-02-14\",\n \"description\": \"The search takes corporate and common cloud provider domains configured under `cim_corporate_email_domains.csv`, `cim_corporate_web_domains.csv`, and `cloud_domains.csv` finds their responses across the last 30 days from data in the `Network_Resolution ` datamodel, then stores the output under the `discovered_dns_records.csv` lookup\",\n \"how_to_implement\": \"To successfully implement this search, you must be ingesting DNS logs, and populating the Network_Resolution data model. Also make sure that the cim_corporate_web_domains and cim_corporate_email_domains lookups are populated with the domains owned by your corporation\",\n \"author\": \"Jose Hernandez, Splunk\",\n \"search\": \"| inputlookup cim_corporate_email_domains.csv | inputlookup append=T cim_corporate_web_domains.csv | inputlookup append=T cim_cloud_domains.csv | eval domain = trim(replace(domain, \\\"\\\\*\\\", \\\"\\\")) | join domain [|tstats `security_content_summariesonly` count values(DNS.record_type) as type, values(DNS.answer) as answer from datamodel=Network_Resolution where DNS.message_type=RESPONSE DNS.answer!=\\\"unknown\\\" DNS.answer!=\\\"\\\" by DNS.query | rename DNS.query as query | where query!=\\\"unknown\\\" | rex field=query \\\"(?\\\\w+\\\\.\\\\w+?)(?:$|/)\\\"] | makemv delim=\\\" \\\" answer | makemv delim=\\\" \\\" type | sort -count | table count,domain,type,query,answer | outputlookup createinapp=true discovered_dns_records.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"DNS Hijacking\"\n ],\n \"detections\": [\n \"DNS record changed\"\n ]\n }\n },\n {\n \"name\": \"DNSTwist Domain Names\",\n \"id\": \"19f7d2ec-6028-4d01-bcdb-bda9a034c17f\",\n \"version\": 2,\n \"date\": \"2018-10-08\",\n \"description\": \"This search creates permutations of your existing domains, removes the valid domain names and stores them in a specified lookup file so they can be checked for in the associated detection searches.\",\n \"how_to_implement\": \"To successfully implement this search you need to update the file called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv` and `cim_corporate_web_domains.csv` from **Splunk\\\\_SA\\\\_CIM**.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse=\\\"true\\\" | table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Brand Monitoring\",\n \"Suspicious Emails\"\n ],\n \"detections\": [\n \"Monitor Email For Brand Abuse\",\n \"Monitor DNS For Brand Abuse\",\n \"Monitor Web Traffic For Brand Abuse\"\n ]\n }\n },\n {\n \"name\": \"Identify Systems Creating Remote Desktop Traffic\",\n \"id\": \"5cdda34f-4caf-4128-a713-0837fc48b67a\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search counts the numbers of times the system has generated remote desktop traffic.\",\n \"how_to_implement\": \"To successfully implement this search, you must ingest network traffic and populate the Network_Traffic data model.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389 by All_Traffic.src | `drop_dm_object_name(\\\"All_Traffic\\\")` | sort - count\",\n \"tags\": {}\n },\n {\n \"name\": \"Identify Systems Receiving Remote Desktop Traffic\",\n \"id\": \"baaeea15-fe8a-4090-92c2-5b60943bb608\",\n \"version\": 1,\n \"date\": \"2017-09-15\",\n \"description\": \"This search counts the numbers of times the system has created remote desktop traffic\",\n \"how_to_implement\": \"To successfully implement this search you must ingest network traffic and populate the Network_Traffic data model. If a system receives a lot of remote desktop traffic, you can apply the category common_rdp_destination to it.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389 by All_Traffic.dest | `drop_dm_object_name(\\\"All_Traffic\\\")` | sort - count\",\n \"tags\": {}\n },\n {\n \"name\": \"Identify Systems Using Remote Desktop\",\n \"id\": \"063dfe9f-b1d7-4254-a16d-1e2e7eadd6a8\",\n \"version\": 1,\n \"date\": \"2019-04-01\",\n \"description\": \"This search counts the numbers of times the remote desktop process, mstsc.exe, has run on each system.\",\n \"how_to_implement\": \"To successfully implement this search you must be ingesting endpoint data that records process activity.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name=\\\"*mstsc.exe*\\\" by Processes.dest Processes.process_name | `drop_dm_object_name(Processes)` | sort - count\",\n \"tags\": {}\n },\n {\n \"name\": \"Monitor Successful Backups\",\n \"id\": \"b4d0dfb2-2195-4f6e-93a3-48468ed9734e\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This search is intended to give you a feel for how often successful backups are conducted in your environment. Fluctuations in these numbers will allow you to determine when you should investigate.\",\n \"how_to_implement\": \"To successfully implement this search you must be ingesting your backup logs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`netbackup` \\\"Disk/Partition backup completed successfully.\\\" | bucket _time span=1d | stats dc(COMPUTERNAME) as count values(COMPUTERNAME) as dest by _time, MESSAGE\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor Backup Solution\"\n ],\n \"detections\": [\n \"Unsuccessful Netbackup backups\"\n ]\n }\n },\n {\n \"name\": \"Monitor Unsuccessful Backups\",\n \"id\": \"b2178fed-592f-492b-b851-74161678aa56\",\n \"version\": 1,\n \"date\": \"2017-09-12\",\n \"description\": \"This search is intended to give you a feel for how often backup failures happen in your environments. Fluctuations in these numbers will allow you to determine when you should investigate.\",\n \"how_to_implement\": \"To successfully implement this search you must be ingesting your backup logs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`netbackup` \\\"An error occurred, failed to backup.\\\" | bucket _time span=1d | stats dc(COMPUTERNAME) as count values(COMPUTERNAME) as dest by _time, MESSAGE\",\n \"tags\": {\n \"analytics_story\": [\n \"Monitor Backup Solution\"\n ],\n \"detections\": [\n \"Unsuccessful Netbackup backups\"\n ]\n }\n },\n {\n \"name\": \"Previously seen API call per user roles in CloudTrail\",\n \"id\": \"fc0edc95-fq2c-48b0-9f6f-63da3289fd03\",\n \"version\": 1,\n \"date\": \"2018-04-16\",\n \"description\": \"This search looks for successful API calls made by different user roles, then creates a baseline of the earliest and latest times we have encountered this user role. It also returns the name of the API call in our dataset--grouped by user role and name of the API call--that occurred within the last 30 days. In this support search, we are only looking for events where the user identity is Assumed Role.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user role entries in `previously_seen_api_calls_from_user_roles.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS User Monitoring\"\n ],\n \"detections\": [\n \"Detect new API calls from user roles\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen AWS Cross Account Activity\",\n \"id\": \"1cc22b09-c867-416e-a511-cb36ac44aee2\",\n \"version\": 1,\n \"date\": \"2018-06-04\",\n \"description\": \"This search looks for **AssumeRole** events where the requesting account differs from the requested account, then writes these relationships to a lookup file.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Validate the user name entries in `previously_seen_aws_cross_account_activity.csv`, a lookup file created by this support search.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=AssumeRole | spath output=requestingAccountId path=userIdentity.accountId | spath output=requestedAccountId path=resources{}.accountId | search requestingAccountId=* | where requestingAccountId!=requestedAccountId | stats earliest(_time) as firstTime latest(_time) as lastTime by requestingAccountId, requestedAccountId | outputlookup previously_seen_aws_cross_account_activity | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cross Account Activity\"\n ],\n \"detections\": [\n \"AWS Cross Account Activity From Previously Unseen Account\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen AWS Provisioning Activity Sources\",\n \"id\": \"ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee\",\n \"version\": 1,\n \"date\": \"2018-03-16\",\n \"description\": \"This search builds a table of the first and last times seen for every IP address (along with its physical location) previously associated with cloud-provisioning activity. This is broadly defined as any event that runs or creates something.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Suspicious Provisioning Activities\"\n ],\n \"detections\": [\n \"AWS Cloud Provisioning From Previously Unseen IP Address\",\n \"AWS Cloud Provisioning From Previously Unseen City\",\n \"AWS Cloud Provisioning From Previously Unseen Country\",\n \"AWS Cloud Provisioning From Previously Unseen Region\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen AWS Regions\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd63\",\n \"version\": 1,\n \"date\": \"2018-01-08\",\n \"description\": \"This search looks for CloudTrail events where an AWS instance is started and creates a baseline of most recent time (latest) and the first time (earliest) we've seen this region in our dataset grouped by the value awsRegion for the last 30 days\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`cloudtrail` StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"EC2 Instance Started In Previously Unseen Region\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Cloud Compute Creations By User\",\n \"id\": \"9fa1c205-4e08-4681-bb1b-d0943e734b85\",\n \"version\": 1,\n \"date\": \"2018-03-15\",\n \"description\": \"This search builds a table of previously seen users that have launched a cloud compute instance.\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_creations_by_user_input_filter` by Compute.src_user | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_compute_creations_by_user | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Created By Previously Unseen User\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Cloud Compute Images\",\n \"id\": \"3782ad10-5ce2-46e2-b9c4-1de9ecd3aecc\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"This search builds a table of previously seen images used to launch cloud compute instances\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_image_input_filter` by Compute.image_id | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_compute_images | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Created With Previously Unseen Image\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Cloud Compute Instance Types\",\n \"id\": \"0ef13d46-164e-4cf5-816e-b3c0df170d00\",\n \"version\": 1,\n \"date\": \"2019-10-03\",\n \"description\": \"This search builds a table of previously seen cloud compute instance types\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_instance_types_input_filter` by Compute.instance_type | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_compute_instance_types | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Created With Previously Unseen Instance Type\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Cloud Regions\",\n \"id\": \"b5e232db-dec6-4db8-aaa1-dd5474521e40\",\n \"version\": 1,\n \"date\": \"2019-10-02\",\n \"description\": \"This search looks for cloud compute events where a compute instance is started and creates a baseline of most recent time, `lastTime` and the first time `firstTime` we've seen this region in our dataset grouped by the region for the last 30 days\",\n \"how_to_implement\": \"You must be ingesting the approrpiate cloud infrastructure logs and have the Security Research cloud data model installed.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Cloud_Infrastructure.Compute where Compute.action=start `previously_seen_cloud_regions_input_filter` by Compute.region | `drop_dm_object_name(\\\"Compute\\\")` | outputlookup previously_seen_cloud_regions | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Cloud Cryptomining\"\n ],\n \"detections\": [\n \"Cloud Compute Instance Started In Previously Unused Region\"\n ]\n }\n },\n {\n \"name\": \"Previously seen command line arguments\",\n \"id\": \"56059acf-50fe-4f60-98d1-b75b51b5c2f3\",\n \"version\": 2,\n \"date\": \"2019-03-01\",\n \"description\": \"This search looks for command-line arguments where `cmd.exe /c` is used to execute a program, then creates a baseline of the earliest and latest times we have encountered this command-line argument in our dataset within the last 30 days.\",\n \"how_to_implement\": \"You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the \\\"process\\\" field in the Endpoint data model.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe AND Processes.process=\\\"* /c *\\\" by Processes.process | `drop_dm_object_name(Processes)`\",\n \"tags\": {\n \"analytics_story\": [\n \"DHS Report TA18-074A\",\n \"Disabling Security Tools\",\n \"Hidden Cobra Malware\",\n \"Netsh Abuse\",\n \"Orangeworm Attack Group\",\n \"Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns\",\n \"Suspicious Command-Line Executions\",\n \"Suspicious MSHTA Activity\"\n ],\n \"detections\": [\n \"Detect Prohibited Applications Spawning cmd.exe\",\n \"Processes launching netsh\",\n \"First time seen command line argument\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen EC2 AMIs\",\n \"id\": \"bb1bd99d-1e93-45f1-9571-cfed42d372b9\",\n \"version\": 1,\n \"date\": \"2018-03-12\",\n \"description\": \"This search builds a table of previously seen AMIs used to launch EC2 instances\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId as amiID | stats earliest(_time) as firstTime latest(_time) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\"\n ],\n \"detections\": [\n \"EC2 Instance Started With Previously Unseen AMI\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen EC2 Instance Types\",\n \"id\": \"b8f029f2-65a6-4d76-be98-dad1c9d59c45\",\n \"version\": 1,\n \"date\": \"2018-03-08\",\n \"description\": \"This search builds a table of previously seen EC2 instance types\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instanceType as instanceType | fillnull value=\\\"m1.small\\\" instanceType | stats earliest(_time) as earliest latest(_time) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\"\n ],\n \"detections\": [\n \"EC2 Instance Started With Previously Unseen Instance Type\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen EC2 Launches By User\",\n \"id\": \"6c767ac0-0906-4355-9a83-927f5ee7bdad\",\n \"version\": 1,\n \"date\": \"2018-03-15\",\n \"description\": \"This search builds a table of previously seen ARNs that have launched a EC2 instance.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` eventName=RunInstances errorCode=success | rename userIdentity.arn as arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"AWS Cryptomining\",\n \"Suspicious AWS EC2 Activities\"\n ],\n \"detections\": [\n \"EC2 Instance Started With Previously Unseen User\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen EC2 Modifications By User\",\n \"id\": \"4d69091b-d975-4267-85df-888bd41034eb\",\n \"version\": 1,\n \"date\": \"2018-04-05\",\n \"description\": \"This search builds a table of previously seen ARNs that have launched a EC2 instance.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`cloudtrail` `ec2_modification_api_calls` errorCode=success | spath output=arn userIdentity.arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Unusual AWS EC2 Modifications\"\n ],\n \"detections\": [\n \"EC2 Instance Modified With Previously Unseen User\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Running Windows Services - Initial\",\n \"id\": \"64ce0ade-cb01-4678-bddd-d31c0b175394\",\n \"version\": 3,\n \"date\": \"2020-06-23\",\n \"description\": \"This collects the services that have been started across your entire enterprise.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | outputlookup previously_seen_running_windows_services\",\n \"tags\": {\n \"analytics_story\": [\n \"Orangeworm Attack Group\",\n \"Windows Service Abuse\"\n ],\n \"detections\": [\n \"First Time Seen Running Windows Service\"\n ],\n \"deployments\": [\n \"90 Day Baseline\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Running Windows Services - Update\",\n \"id\": \"2e3bdd68-1863-46ee-81f8-87273eee7f1c\",\n \"version\": 3,\n \"date\": \"2020-06-23\",\n \"description\": \"This search returns the first and last time a Windows service was seen across your enterprise within the last hour. It then updates this information with historical data and filters out Windows services pairs that have not been seen within the specified time window. This updated table is then cached.\",\n \"how_to_implement\": \"While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"`wineventlog_system` EventCode=7036 | rex field=Message \\\"The (?[-\\\$\\\$\\\\s\\\\w]+) service entered the (?\\\\w+) state\\\" | where state=\\\"running\\\" | stats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen by service | inputlookup previously_seen_running_windows_services append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen by service | where lastTimeSeen > relative_time(now(), \\\"`previously_seen_windows_service_forget_window`\\\") | outputlookup previously_seen_running_windows_services\",\n \"tags\": {\n \"analytics_story\": [\n \"Orangeworm Attack Group\",\n \"Windows Service Abuse\"\n ],\n \"detections\": [\n \"First Time Seen Running Windows Service\"\n ],\n \"deployments\": [\n \"Hourly Cache Updates\"\n ]\n }\n },\n {\n \"name\": \"Previously seen S3 bucket access by remote IP\",\n \"id\": \"fc0edc15-fq2c-48b0-9f6f-63qa1281fd03\",\n \"version\": 1,\n \"date\": \"2018-06-28\",\n \"description\": \"This search looks for successful access to S3 buckets from remote IP addresses, then creates a baseline of the earliest and latest times we have encountered this remote IP within the last 30 days. In this support search, we are only looking for S3 access events where the HTTP response code from AWS is \\\"200\\\"\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access-logs inputs. You must validate the remote IP and bucket name entries in `previously_seen_S3_access_from_remote_ip.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Bhavin Patel, Splunk\",\n \"search\": \"`aws_s3_accesslogs` http_status=200 | stats earliest(_time) as earliest latest(_time) as latest by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS S3 Activities\"\n ],\n \"detections\": [\n \"Detect S3 access from a new IP\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd03\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last 30 days.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Previously seen users in CloudTrail - DM\",\n \"id\": \"0a87ecf9-dc6a-43af-861a-205e75a09bf5\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by username, within the last 30 days.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Zoom Child Processes - Initial\",\n \"id\": \"60b9c00f-a9d6-4e51-803c-5d63ea21b95b\",\n \"version\": 1,\n \"date\": \"2020-05-20\",\n \"description\": \"This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS). This table is then cached.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time) as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest| `drop_dm_object_name(Processes)` | table dest, process_name, firstTimeSeen, lastTimeSeen | outputlookup zoom_first_time_child_process\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Zoom Child Processes\"\n ],\n \"detections\": [\n \"First Time Seen Child Process of Zoom\"\n ],\n \"deployments\": [\n \"90 Day Baseline\"\n ]\n }\n },\n {\n \"name\": \"Previously Seen Zoom Child Processes - Update\",\n \"id\": \"80aea7fd-5da2-4533-b3c2-560533bfbaee\",\n \"version\": 1,\n \"date\": \"2020-05-20\",\n \"description\": \"This search returns the first and last time a process was seen per endpoint with a parent process of zoom.exe (Windows) or zoom.us (macOS) within the last hour. It then updates this information with historical data and filters out proces_name and endpoint pairs that have not been seen within the specified time window. This updated table is outputed to disk.\",\n \"how_to_implement\": \"You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` min(_time) as firstTimeSeen max(_time) as lastTimeSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_name Processes.dest| `drop_dm_object_name(Processes)` | table firstTimeSeen, lastTimeSeen, process_name, dest | inputlookup zoom_first_time_child_process append=t | stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by process_name, dest | where lastTimeSeen > relative_time(now(), \\\"`previously_seen_zoom_child_processes_forget_window`\\\") | outputlookup zoom_first_time_child_process\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Zoom Child Processes\"\n ],\n \"detections\": [\n \"First Time Seen Child Process of Zoom\"\n ],\n \"deployments\": [\n \"Hourly Cache Updates\"\n ]\n }\n },\n {\n \"name\": \"Systems Ready for Spectre-Meltdown Windows Patch\",\n \"id\": \"fc0edc95-ff2b-48b0-9f6f-63da3789fd61\",\n \"version\": 1,\n \"date\": \"2018-01-08\",\n \"description\": \"Some AV applications can cause the Spectre/Meltdown patch for Windows not to install successfully. This registry key is supposed to be created by the AV engine when it has been patched to be able to handle the Windows patch. If this key has been written, the system can then be patched for Spectre and Meltdown.\",\n \"how_to_implement\": \"You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry AND (All_Changes.object_path=\\\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\QualityCompat*\\\") by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object, All_Changes.object_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(\\\"All_Changes\\\")`\",\n \"tags\": {\n \"analytics_story\": [\n \"Spectre And Meltdown Vulnerabilities\"\n ],\n \"detections\": [\n \"Spectre and Meltdown Vulnerable Systems\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail\",\n \"id\": \"06c036e6-d6d7-4daa-bd76-411c3d356031\",\n \"version\": 1,\n \"date\": \"2018-04-30\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by ARN, within the last hour.\",\n \"how_to_implement\": \"You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created as a result of running this support search.\",\n \"author\": \"Jason Brewer, Splunk\",\n \"search\": \"`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | iplocation src | eval City=if(City LIKE \\\"\\\",src,City),Region=if(Region LIKE \\\"\\\",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS lastTime by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious AWS Login Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login\"\n ]\n }\n },\n {\n \"name\": \"Update previously seen users in CloudTrail - DM\",\n \"id\": \"66ff71c2-7e01-47dd-a041-906688c9d322\",\n \"version\": 1,\n \"date\": \"2020-05-28\",\n \"description\": \"This search looks for CloudTrail events where a user logs into the console, then updates the baseline of the latest and earliest times, City, Region, and Country we have encountered this user in our dataset, grouped by user, within the last hour.\",\n \"how_to_implement\": \"You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, which is a lookup file created by this support search.\",\n \"author\": \"Rico Valdez, Splunk\",\n \"search\": \"| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user Authentciation.src as src | table user src City Region Country firstTime lastTime | inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by user src City Region Country | outputlookup previously_seen_users_console_logins.csv\",\n \"tags\": {\n \"analytics_story\": [\n \"Suspicious Cloud Authentication Activities\"\n ],\n \"detections\": [\n \"Detect AWS Console Login by User from New Country\",\n \"Detect AWS Console Login by User from New Region\",\n \"Detect AWS Console Login by User from New City\",\n \"Detect new user AWS Console Login - DM\"\n ]\n }\n },\n {\n \"name\": \"Windows Updates Install Failures\",\n \"id\": \"6a4dbd1b-4502-4a11-943a-82b5ae7a42d7\",\n \"version\": 1,\n \"date\": \"2017-09-14\",\n \"description\": \"This search is intended to give you a feel for how often Windows updates fail to install in your environment. Fluctuations in these numbers will allow you to determine when you should be concerned.\",\n \"how_to_implement\": \"You must be ingesting your Windows Update Logs\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` dc(Updates.dest) as count FROM datamodel=Updates where Updates.vendor_product=\\\"Microsoft Windows\\\" AND Updates.status=failure by _time span=1d\",\n \"tags\": {}\n },\n {\n \"name\": \"Windows Updates Install Successes\",\n \"id\": \"6a80535c-86a6-4b54-894c-4b446d0c701d\",\n \"version\": 1,\n \"date\": \"2017-09-14\",\n \"description\": \"This search is intended to give you a feel for how often successful Windows updates are applied in your environments. Fluctuations in these numbers will allow you to determine when you should be concerned.\",\n \"how_to_implement\": \"You must be ingesting your Windows Update Logs\",\n \"author\": \"David Dorsey, Splunk\",\n \"search\": \"| tstats `security_content_summariesonly` dc(Updates.dest) as count FROM datamodel=Updates where Updates.vendor_product=\\\"Microsoft Windows\\\" AND Updates.status=installed by _time span=1d\",\n \"tags\": {}\n }\n ],\n \"count\": 46\n}"}],"_postman_id":"20271b65-c534-46a5-855b-238051ce786b"}],"id":"1f4a0afd-ffdc-4d7e-8031-091ed4abe8f5","description":"

baselines endpoint

\n","event":[{"listen":"prerequest","script":{"type":"text/javascript","exec":[""],"id":"66ed8f1c-812e-464c-917d-fc66a550f6f6"}},{"listen":"test","script":{"type":"text/javascript","exec":[""],"id":"cb3567b0-816b-4fc7-a9c2-8b0e5b01766f"}}],"_postman_id":"1f4a0afd-ffdc-4d7e-8031-091ed4abe8f5"},{"name":"macros","item":[{"name":"/macros","id":"ca2c1881-1145-47b5-946f-9e3f5d8610fa","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"noauth","isInherited":false},"method":"GET","header":[],"url":"https://content.splunkresearch.com/macros","description":"

list all macros

\n","urlObject":{"path":["macros"],"host":["https://content.splunkresearch.com"],"query":[],"variable":[]}},"response":[{"id":"c03a8ad5-f804-48a7-9ba0-2ca3583aac31","name":"/macros","originalRequest":{"method":"GET","header":[],"url":"https://content.splunkresearch.com/macros"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Thu, 05 Nov 2020 08:27:23 GMT"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"20557"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"1584386b-d4bc-4f5d-9b66-3b6fe246d1a1"},{"key":"Access-Control-Allow-Origin","value":"*"},{"key":"Access-Control-Allow-Headers","value":"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"},{"key":"x-amz-apigw-id","value":"VhmYjGjHvHcFQ8w="},{"key":"X-Amzn-Trace-Id","value":"Root=1-5fa3b769-2407effa3d9cb3b77fe5885b;Sampled=0"}],"cookie":[],"responseTime":null,"body":"{\n \"macros\": [\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_cloudwatchlogs_eks\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"aws_cross_account_activity_from_previously_unseen_account___dm_filter\"\n },\n {\n \"definition\": \"sourcetype=aws:s3:accesslogs\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_s3_accesslogs\"\n },\n {\n \"definition\": \"sourcetype=\\\"aws:securityhub:firehose\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"aws_securityhub_firehose\"\n },\n {\n \"definition\": \"lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true\",\n \"description\": \"This macro limits the output to only domains that are in the brand monitoring lookup file\",\n \"name\": \"brand_abuse_dns\"\n },\n {\n \"definition\": \"lookup update=true brandMonitoring_lookup domain as src_user OUTPUT domain_abuse | search domain_abuse=true\",\n \"description\": \"This macro limits the output to only domains that are in the brand monitoring lookup file\",\n \"name\": \"brand_abuse_email\"\n },\n {\n \"definition\": \"lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true\",\n \"description\": \"This macro limits the output to only domains that are in the brand monitoring lookup file\",\n \"name\": \"brand_abuse_web\"\n },\n {\n \"definition\": \"eventtype=cisco_ios\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cisco_networks\"\n },\n {\n \"description\": \"Use this macro to add additional filters for monitoring clients connecting to multiple dns servers\",\n \"name\": \"clients_connecting_to_multiple_dns_servers_output_filter\",\n \"definition\": \"search *\"\n },\n {\n \"definition\": \"sourcetype=aws:cloudtrail\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudtrail\"\n },\n {\n \"definition\": \"sourcetype=\\\"aws:cloudwatchlogs:eks\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch eks logs. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudwatch_eks\"\n },\n {\n \"definition\": \"sourcetype=aws:cloudwatchlogs:vpcflow\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudwatch_vpc\"\n },\n {\n \"definition\": \"sourcetype=aws:cloudwatchlogs:vpcflow\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"cloudwatchlogs_vpcflow\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filter for create or delete windows shares\",\n \"name\": \"create_or_delete_windows_shares_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters to prevent i.e. false positives\",\n \"name\": \"detect_arp_poisoning_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"detect_new_user_aws_console_login___dm_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters to prevent i.e. false positives\",\n \"name\": \"detect_rogue_dhcp_server_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"detect_zerologon_via_zeek_filter\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.\",\n \"name\": \"dynamic_dns_providers\"\n },\n {\n \"definition\": \"lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True\",\n \"description\": \"This is a description\",\n \"name\": \"dynamic_dns_web_traffic\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"ec2_excessive_runinstances_mltk_input_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"ec2_excessive_terminateinstances_mltk_input_filter\"\n },\n {\n \"definition\": \"(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=GetConsoleOutput OR eventName=GetConsoleScreenshot OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)\",\n \"description\": \"This is a list of AWS event names that have to do with modifying Amazon EC2 instances\",\n \"name\": \"ec2_modification_api_calls\"\n },\n {\n \"definition\": \"(query=login* AND query=www*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Office 365\",\n \"name\": \"evilginx_phishlets_0365\"\n },\n {\n \"definition\": \"(query=fls-na* AND query = www* AND query=images*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Amazon\",\n \"name\": \"evilginx_phishlets_amazon\"\n },\n {\n \"definition\": \"(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as an AWS console\",\n \"name\": \"evilginx_phishlets_aws\"\n },\n {\n \"definition\": \"(query=www* AND query = m* AND query=static*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as FaceBook\",\n \"name\": \"evilginx_phishlets_facebook\"\n },\n {\n \"definition\": \"(query=api* AND query = github*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as GitHub\",\n \"name\": \"evilginx_phishlets_github\"\n },\n {\n \"definition\": \"(query=accounts* AND query=ssl* AND query=www*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Google\",\n \"name\": \"evilginx_phishlets_google\"\n },\n {\n \"definition\": \"(query=outlook* AND query=login* AND query=account*)\",\n \"description\": \"This limits the query fields to domains that are associated with evilginx masquerading as Outlook\",\n \"name\": \"evilginx_phishlets_outlook\"\n },\n {\n \"definition\": \"index=netops sourcetype=\\\"f5:bigip:rogue\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"f5_bigip_rogue\"\n },\n {\n \"definition\": \"lookup update=true lookup_rare_process_whitelist_default process as process OUTPUTNEW whitelist | where whitelist=\\\"false\\\" | lookup update=true lookup_rare_process_whitelist_local process as process OUTPUT whitelist | where whitelist=\\\"false\\\"\",\n \"description\": \"This macro is intended to whitelist processes that have been definied as rare\",\n \"name\": \"filter_rare_process_whitelist\"\n },\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Google GCP. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubnet_message\"\n },\n {\n \"definition\": \"sourcetype=\\\"google:gcp:pubsub:message\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"google_gcp_pubsub_message\"\n },\n {\n \"definition\": \"lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true\",\n \"description\": \"This macro limits the output to process names that are in the Windows System directory\",\n \"name\": \"is_windows_system_file\"\n },\n {\n \"definition\": \"sourcetype=mscs:storage:blob:json\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"kubernetes_azure\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"kubernetes_azure_detect_most_active_service_accounts_by_pod_namespace_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"kubernetes_azure_detect_rbac_authorization_by_account_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"kubernetes_azure_detect_sensitive_object_access_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"kubernetes_azure_detect_sensitive_role_access_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"kubernetes_azure_detect_suspicious_kubectl_calls_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"kubernetes_azure_pod_scan_fingerprint_detection_filter\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"kubernetes_azure_scan_fingerprint_filter\"\n },\n {\n \"definition\": \"sourcetype=\\\"netbackup_logs\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"netbackup\"\n },\n {\n \"definition\": \"(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)\",\n \"description\": \"This is a list of AWS event names that are associated with Network ACLs\",\n \"name\": \"network_acl_events\"\n },\n {\n \"definition\": \"eventtype=okta_log\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"okta\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"previously_seen_cloud_compute_creations_by_user_input_filter\"\n },\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the user is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_compute_creations_by_user_search_window_begin_offset\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"previously_seen_cloud_compute_image_input_filter\"\n },\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the image is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_compute_image_search_window_begin_offset\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"previously_seen_cloud_compute_instance_types_input_filter\"\n },\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the instance type is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_compute_instance_types_search_window_begin_offset\"\n },\n {\n \"definition\": \"search *\",\n \"description\": \"Use this macro to add additional filters\",\n \"name\": \"previously_seen_cloud_regions_input_filter\"\n },\n {\n \"description\": \"Use this macro to determine how far into the past the window should be to determine if the region is new or not\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_cloud_regions_search_window_begin_offset\"\n },\n {\n \"description\": \"Use this macro to determine how long to keep track of Windows services\",\n \"definition\": \"-90d@d\",\n \"name\": \"previously_seen_windows_services_forget_window\"\n },\n {\n \"description\": \"Use this macro to determine how far back you should be checking for new Windows services\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_windows_service_window\"\n },\n {\n \"description\": \"Use this macro to determine how long to keep track of zoom child processes\",\n \"definition\": \"-90d@d\",\n \"name\": \"previously_seen_zoom_child_processes_forget_window\"\n },\n {\n \"description\": \"Use this macro to determine how far back you should be checking for new zoom child processes\",\n \"definition\": \"-70m@m\",\n \"name\": \"previously_seen_zoom_child_processes_window\"\n },\n {\n \"definition\": \"| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\\\"*\\\" . parent_process_name | table parent_process_name\",\n \"description\": \"This macro outputs a list of process that should not be the parent process of cmd.exe\",\n \"name\": \"prohibited_apps_launching_cmd\"\n },\n {\n \"definition\": \"lookup interesting_processes_lookup app as process_name OUTPUT is_prohibited | search is_prohibited=True\",\n \"description\": \"This macro limits the output to process_names that have been marked as prohibited\",\n \"name\": \"prohibited_softwares\"\n },\n {\n \"definition\": \"lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False\",\n \"description\": \"This macro limits the output to files that have extensions associated with ransomware\",\n \"name\": \"ransomware_extensions\"\n },\n {\n \"definition\": \"lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \\\"Known Ransomware Notes\\\" | search \\\"Known Ransomware Notes\\\"=True\",\n \"description\": \"This macro limits the output to files that have been identified as a ransomware note\",\n \"name\": \"ransomware_notes\"\n },\n {\n \"definition\": \"eval domain=trim(domain,\\\"*\\\") | search NOT[| inputlookup domains] NOT[ |inputlookup cim_corporate_email_domain_lookup] NOT[inputlookup cim_corporate_web_domain_lookup] | eval domain=\\\"*\\\"+domain+\\\"*\\\"\",\n \"description\": \"This macro removes valid domains from the output\",\n \"name\": \"remove_valid_domains\"\n },\n {\n \"definition\": \"sourcetype=aws:s3:accesslogs\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype) for AWS cloudwatch vpc logs. Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"s3_accesslogs\"\n },\n {\n \"arguments\": [\n \"field\"\n ],\n \"definition\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\",\n \"description\": \"convert epoch time to string\",\n \"name\": \"security_content_ctime\"\n },\n {\n \"definition\": \"summariesonly=false allow_old_summaries=true\",\n \"description\": \"search data model's summaries only\",\n \"name\": \"security_content_summariesonly\"\n },\n {\n \"definition\": \"(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)\",\n \"description\": \"This macro is a list of AWS event names associated with security groups\",\n \"name\": \"security_group_api_calls\"\n },\n {\n \"definition\": \"sourcetype=stream:dns\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_dns\"\n },\n {\n \"definition\": \"sourcetype=stream:http\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_http\"\n },\n {\n \"definition\": \"sourcetype=stream:tcp\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"stream_tcp\"\n },\n {\n \"definition\": \"lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true\",\n \"description\": \"This macro limits the output to email attachments that have suspicious extensions\",\n \"name\": \"suspicious_email_attachments\"\n },\n {\n \"definition\": \"lookup suspicious_writes_lookup file as file_name OUTPUT note as \\\"Reference\\\" | search \\\"Reference\\\" != False\",\n \"description\": \"This macro limites the output to file names that have been marked as suspicious\",\n \"name\": \"suspicious_writes\"\n },\n {\n \"definition\": \"sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"sysmon\"\n },\n {\n \"definition\": \"(process_name= \\\"arp.exe\\\" OR process_name= \\\"at.exe\\\" OR process_name= \\\"attrib.exe\\\" OR process_name= \\\"cscript.exe\\\" OR process_name= \\\"dsquery.exe\\\" OR process_name= \\\"hostname.exe\\\" OR process_name= \\\"ipconfig.exe\\\" OR process_name= \\\"mimikatz.exe\\\" OR process_name= \\\"nbstat.exe\\\" OR process_name= \\\"net.exe\\\" OR process_name= \\\"netsh.exe\\\" OR process_name= \\\"nslookup.exe\\\" OR process_name= \\\"ping.exe\\\" OR process_name= \\\"quser.exe\\\" OR process_name= \\\"qwinsta.exe\\\" OR process_name= \\\"reg.exe\\\" OR process_name= \\\"runas.exe\\\" OR process_name= \\\"sc.exe\\\" OR process_name= \\\"schtasks.exe\\\" OR process_name= \\\"ssh.exe\\\" OR process_name= \\\"systeminfo.exe\\\" OR process_name= \\\"taskkill.exe\\\" OR process_name= \\\"telnet.exe\\\" OR process_name= \\\"tracert.exe\\\" OR process_name=\\\"wscript.exe\\\" OR process_name= \\\"xcopy.exe\\\")\",\n \"description\": \"This macro is a list of process that can be used to discover the network configuration\",\n \"name\": \"system_network_configuration_discovery_tools\"\n },\n {\n \"definition\": \"lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true\",\n \"description\": \"This macro limits the output to processes that have been marked as uncommon\",\n \"name\": \"uncommon_processes\"\n },\n {\n \"definition\": \"eventtype=wineventlog_security\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_security\"\n },\n {\n \"definition\": \"eventtype=wineventlog_system\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wineventlog_system\"\n },\n {\n \"definition\": \"sourcetype=\\\"wineventlog:microsoft-windows-wmi-activity/operational\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"wmi\"\n },\n {\n \"definition\": \"index=zeek sourcetype=\\\"zeek:rpc:json\\\"\",\n \"description\": \"customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.\",\n \"name\": \"zeek_rpc\"\n }\n ],\n \"count\": 80\n}"}],"_postman_id":"ca2c1881-1145-47b5-946f-9e3f5d8610fa"}],"id":"5180aca7-4e4c-4485-9411-d4934dd3d0a8","event":[{"listen":"prerequest","script":{"type":"text/javascript","exec":[""],"id":"52fd36e5-26cb-482f-96c5-78a79eda62a4"}},{"listen":"test","script":{"type":"text/javascript","exec":[""],"id":"f67e0133-718b-4151-8651-23b3149076ae"}}],"_postman_id":"5180aca7-4e4c-4485-9411-d4934dd3d0a8","description":""},{"name":"lookups","item":[{"name":"/lookups","id":"8e083f7f-1cd6-4a8d-9b60-230adbd84fed","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"noauth","isInherited":false},"method":"GET","header":[],"url":"https://content.splunkresearch.com/lookups","description":"

list all lookups

\n","urlObject":{"path":["lookups"],"host":["https://content.splunkresearch.com"],"query":[],"variable":[]}},"response":[{"id":"074b6fa3-2124-4b25-93e1-a36d7a0d12f8","name":"/lookups","originalRequest":{"method":"GET","header":[],"url":"https://content.splunkresearch.com/lookups"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Thu, 05 Nov 2020 08:28:04 GMT"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"10560"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"6de95a52-4ad5-4aea-9c6c-22db237236e6"},{"key":"Access-Control-Allow-Origin","value":"*"},{"key":"Access-Control-Allow-Headers","value":"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"},{"key":"x-amz-apigw-id","value":"VhmeoENwvHcFVqw="},{"key":"X-Amzn-Trace-Id","value":"Root=1-5fa3b790-5c43d84a781f87a4464c6eff;Sampled=0"}],"cookie":[],"responseTime":null,"body":"{\n \"lookups\": [\n {\n \"description\": \"A collection that will contain the baseline information for number of AWS API calls per user\",\n \"collection\": \"api_call_by_user_baseline\",\n \"name\": \"api_call_by_user_baseline\",\n \"fields_list\": \"arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/api_call_by_user_baseline.csv\"\n },\n {\n \"description\": \"A lookup file that will contain AWS Service accounts\",\n \"filename\": \"aws_service_accounts.csv\",\n \"name\": \"aws_service_accounts\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/aws_service_accounts.csv\"\n },\n {\n \"description\": \"A lookup file that will contain the baseline information for number of blocked outbound connections\",\n \"filename\": \"baseline_blocked_outbound_connections.csv\",\n \"name\": \"baseline_blocked_outbound_connections\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/baseline_blocked_outbound_connections.csv\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A file that contains look-a-like domains for brands that you want to monitor\",\n \"filename\": \"brand_monitoring.csv\",\n \"match_type\": \"WILDCARD(domain)\",\n \"min_matches\": 1,\n \"name\": \"brandMonitoring_lookup\"\n },\n {\n \"description\": \"The CSC control numbers and names\",\n \"filename\": \"csc_lookup.csv\",\n \"min_matches\": 1,\n \"name\": \"csc_lookup\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/csc_lookup.csv\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records\",\n \"filename\": \"discovered_dns_records.csv\",\n \"min_matches\": 1,\n \"name\": \"discovered_dns_records\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/discovered_dns_records.csv\"\n },\n {\n \"description\": \"A list of domains that can be whitelisted\",\n \"filename\": \"domains.csv\",\n \"name\": \"domains\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/domains.csv\"\n },\n {\n \"case_sensitive_match\": \"false\",\n \"description\": \"A list of dynammic dns providers that should not be modified\",\n \"filename\": \"dynamic_dns_providers_default.csv\",\n \"match_type\": \"WILDCARD(dynamic_dns_domains)\",\n \"name\": \"dynamic_dns_providers_default\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/dynamic_dns_providers_default.csv\"\n },\n {\n \"case_sensitive_match\": \"false\",\n \"description\": \"A list of dynammic dns providers that can be modified\",\n \"filename\": \"dynamic_dns_providers_local.csv\",\n \"match_type\": \"WILDCARD(dynamic_dns_domains)\",\n \"name\": \"dynamic_dns_providers_local\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/dynamic_dns_providers_local.csv\"\n },\n {\n \"description\": \"A placeholder lookup file to hold information for ESCU Usage dashboard\",\n \"filename\": \"escu_search_id.csv\",\n \"name\": \"escu_search_id_lookup\"\n },\n {\n \"description\": \"A list of suspicious extensions for email attachments\",\n \"filename\": \"is_suspicious_file_extension_lookup.csv\",\n \"match_type\": \"WILDCARD(file_name)\",\n \"name\": \"is_suspicious_file_extension_lookup\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/is_suspicious_file_extension_lookup.csv\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A list of executable files in Windows\\\\System32\",\n \"filename\": \"is_windows_system_file.csv\",\n \"min_matches\": 1,\n \"name\": \"is_windows_system_file\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/is_windows_system_file.csv\"\n },\n {\n \"description\": \"A list of legit domains to be used to whitelist possible phishing sites\",\n \"filename\": \"legit_domains.csv\",\n \"name\": \"legit_domains\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/legit_domains.csv\"\n },\n {\n \"case_sensitive_match\": \"false\",\n \"default_match\": \"false\",\n \"description\": \"A list of rare processes that are legitimate provided by Splunk\",\n \"filename\": \"rare_process_whitelist_default.csv\",\n \"match_type\": \"WILDCARD(process)\",\n \"min_matches\": 1,\n \"name\": \"lookup_rare_process_whitelist_default\"\n },\n {\n \"case_sensitive_match\": \"false\",\n \"default_match\": \"false\",\n \"description\": \"A list of rare processes that are legitimate provided by the end user\",\n \"filename\": \"rare_process_whitelist_local.csv\",\n \"match_type\": \"WILDCARD(process)\",\n \"min_matches\": 1,\n \"name\": \"lookup_rare_process_whitelist_local\"\n },\n {\n \"case_sensitive_match\": \"false\",\n \"description\": \"A list of processes that are not common\",\n \"filename\": \"uncommon_processes_default.csv\",\n \"match_type\": \"WILDCARD(process)\",\n \"name\": \"lookup_uncommon_processes_default\"\n },\n {\n \"case_sensitive_match\": \"false\",\n \"description\": \"A list of processes that are not common\",\n \"filename\": \"uncommon_processes_local.csv\",\n \"match_type\": \"WILDCARD(process)\",\n \"name\": \"lookup_uncommon_processes_local\"\n },\n {\n \"description\": \"A lookup file that will contain the baseline information for number of AWS Network ACL Activity\",\n \"filename\": \"network_acl_activity_baseline.csv\",\n \"name\": \"network_acl_activity_baseline\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/network_acl_activity_baseline.csv\"\n },\n {\n \"description\": \"A placeholder for a list of IPs that have access S3\",\n \"filename\": \"previously_seen_S3_access_from_remote_ip.csv\",\n \"name\": \"previously_seen_S3_access_from_remote_ip\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_S3_access_from_remote_ip.csv\"\n },\n {\n \"description\": \"A placeholder for a list of AWS API calls for each user role\",\n \"filename\": \"previously_seen_api_calls_from_user_roles.csv\",\n \"name\": \"previously_seen_api_calls_from_user_roles\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_api_calls_from_user_roles.csv\"\n },\n {\n \"description\": \"A placeholder for a list of AWS accounts and assumed roles\",\n \"filename\": \"previously_seen_aws_cross_account_activity.csv\",\n \"name\": \"previously_seen_aws_cross_account_activity\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_aws_cross_account_activity.csv\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A place holder for a list of used AWS regions\",\n \"filename\": \"previously_seen_aws_regions.csv\",\n \"min_matches\": 1,\n \"name\": \"previously_seen_aws_regions\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_aws_regions.csv\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A place holder for a list of users that have created cloud compute instances\",\n \"filename\": \"previously_seen_cloud_compute_creations_by_user.csv\",\n \"min_matches\": 1,\n \"name\": \"previously_seen_cloud_compute_creations_by_user\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_cloud_compute_creations_by_user.csv\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A place holder for a list of used cloud compute images\",\n \"filename\": \"previously_seen_cloud_compute_images.csv\",\n \"min_matches\": 1,\n \"name\": \"previously_seen_cloud_compute_images\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_cloud_compute_images.csv\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A place holder for a list of used cloud compute instance types\",\n \"filename\": \"previously_seen_cloud_compute_instance_types.csv\",\n \"min_matches\": 1,\n \"name\": \"previously_seen_cloud_compute_instance_types\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_cloud_compute_instance_types.csv\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A place holder for a list of used cloud compute images\",\n \"filename\": \"previously_seen_cloud_regions.csv\",\n \"min_matches\": 1,\n \"name\": \"previously_seen_cloud_regions\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_cloud_regions.csv\"\n },\n {\n \"description\": \"A placeholder for a list of cmd line arugments that been seen before\",\n \"filename\": \"previously_seen_cmd_line_arguments.csv\",\n \"name\": \"previously_seen_cmd_line_arguments\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_cmd_line_arguments.csv\"\n },\n {\n \"description\": \"A place holder for a list of AWS EC2 modifications done by each user\",\n \"filename\": \"previously_seen_ec2_modifications_by_user.csv\",\n \"name\": \"previously_seen_ec2_modifications_by_user\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_ec2_modifications_by_user.csv\"\n },\n {\n \"description\": \"A placeholder for the list of Windows Services running\",\n \"collection\": \"previously_seen_running_windows_services\",\n \"name\": \"previously_seen_running_windows_services\",\n \"fields_list\": \"_key, service, firstTimeSeen, lastTimeSeen\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/previously_seen_running_windows_services.csv\"\n },\n {\n \"description\": \"A list of processes that have been marked as prohibited\",\n \"filename\": \"prohibited_processes.csv\",\n \"name\": \"prohibitedProcesses_lookup\"\n },\n {\n \"description\": \"A list of processes that should not be launching cmd.exe\",\n \"fields\": \"prohibited_applications\",\n \"filename\": \"prohibited_apps_launching_cmd.csv\",\n \"match_type\": \"WILDCARD(prohibited_applications)\",\n \"name\": \"prohibited_apps_launching_cmd\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/prohibited_apps_launching_cmd.csv\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A list of file extensions that are associated with ransomware\",\n \"filename\": \"ransomware_extensions.csv\",\n \"min_matches\": 1,\n \"name\": \"ransomware_extensions_lookup\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A list of file names that are ransomware note files\",\n \"filename\": \"ransomware_notes.csv\",\n \"match_type\": \"WILDCARD(ransomware_notes)\",\n \"min_matches\": 1,\n \"name\": \"ransomware_notes_lookup\"\n },\n {\n \"description\": \"A placeholder for the baseline information for AWS S3 deletions\",\n \"filename\": \"s3_deletion_baseline.csv\",\n \"name\": \"s3_deletion_baseline\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/s3_deletion_baseline.csv\"\n },\n {\n \"description\": \"A placeholder for the baseline information for AWS security groups\",\n \"filename\": \"security_group_activity_baseline.csv\",\n \"name\": \"security_group_activity_baseline\",\n \"csv_file_url\": \"https://security-content.s3-us-west-2.amazonaws.com/lookups/security_group_activity_baseline.csv\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A list of services that deal with security\",\n \"filename\": \"security_services.csv\",\n \"match_type\": \"WILDCARD(service)\",\n \"min_matches\": 1,\n \"name\": \"security_services_lookup\"\n },\n {\n \"default_match\": \"false\",\n \"description\": \"A list of suspicious file names\",\n \"filename\": \"suspicious_files.csv\",\n \"match_type\": \"WILDCARD(file)\",\n \"min_matches\": 1,\n \"name\": \"suspicious_writes_lookup\"\n },\n {\n \"description\": \"A list of suspicious file names\",\n \"collection\": \"zoom_first_time_child_process\",\n \"name\": \"zoom_first_time_child_process\",\n \"fields_list\": \"_key, dest, process_name, firstTimeSeen, lastTimeSeen\"\n }\n ],\n \"count\": 38\n}"}],"_postman_id":"8e083f7f-1cd6-4a8d-9b60-230adbd84fed"}],"id":"4a4764a0-e9e1-476e-a6ae-1d5c262d77f5","event":[{"listen":"prerequest","script":{"type":"text/javascript","exec":[""],"id":"5d2ba0ba-b9cc-4c74-9a5d-fef26056e83f"}},{"listen":"test","script":{"type":"text/javascript","exec":[""],"id":"1f750d56-5f20-47ef-b34f-3e646fb88572"}}],"_postman_id":"4a4764a0-e9e1-476e-a6ae-1d5c262d77f5","description":""},{"name":"deployments","item":[{"name":"/deployments","id":"86a7b75c-33c5-43cf-8e00-1f38299025ef","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"noauth","isInherited":false},"method":"GET","header":[],"url":"https://content.splunkresearch.com/deployments","description":"

list all deployments

\n","urlObject":{"path":["deployments"],"host":["https://content.splunkresearch.com"],"query":[],"variable":[]}},"response":[{"id":"1c409274-7645-4325-80cb-2ebd999703db","name":"/deployments","originalRequest":{"method":"GET","header":[],"url":"https://content.splunkresearch.com/deployments"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Thu, 05 Nov 2020 08:28:52 GMT"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"3260"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"201c5fe6-fbe8-4f0e-886c-e685a63a657b"},{"key":"Access-Control-Allow-Origin","value":"*"},{"key":"Access-Control-Allow-Headers","value":"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"},{"key":"x-amz-apigw-id","value":"VhmmqHayPHcFY3g="},{"key":"X-Amzn-Trace-Id","value":"Root=1-5fa3b7c4-7e560e870ebc4a4d46f8fc88;Sampled=0"}],"cookie":[],"responseTime":null,"body":"{\n \"deployments\": [\n {\n \"name\": \"Enterprise Security deployment configuration\",\n \"id\": \"bc91a8cd-35e7-4bb2-6140-e756cc46f212\",\n \"date\": \"2020-04-27\",\n \"description\": \"This configuration file applies to all correlation searches that are used for detection\",\n \"author\": \"Bhavin Patel\",\n \"scheduling\": {\n \"cron_schedule\": \"0 * * * *\",\n \"earliest_time\": \"-70m@m\",\n \"latest_time\": \"-10m@m\",\n \"schedule_window\": \"auto\"\n },\n \"alert_action\": {\n \"notable\": {\n \"rule_description\": \"%description%\",\n \"rule_title\": \"%name%\",\n \"nes_fields\": [\n \"user\",\n \"dest\",\n \"src\"\n ]\n }\n },\n \"tags\": {\n \"analytics_story\": \"all\"\n }\n },\n {\n \"name\": \"Detect ARP Poisoning deployment configuration\",\n \"id\": \"e1d5b4dc-4cf3-404f-905c-b478bbb20474\",\n \"date\": \"2020-08-14\",\n \"description\": \"This configuration file applies to the Detect ARP Poisoning detection\",\n \"author\": \"Mikael Bjerkeland\",\n \"scheduling\": {\n \"cron_schedule\": \"59 * * * *\",\n \"earliest_time\": \"-70m@m\",\n \"latest_time\": \"-10m@m\",\n \"schedule_window\": \"auto\"\n },\n \"alert_action\": {\n \"notable\": {\n \"rule_description\": \"ARP Poisoning has been detected on interface $src_interface$ on host $orig_host$. This may be an indication of a MITM attack.\",\n \"rule_title\": \"ARP Poisoning Detected on $orig_host$\",\n \"nes_fields\": [\n \"src_interface\",\n \"firstTime\",\n \"lastTime\",\n \"count\"\n ]\n }\n },\n \"tags\": {\n \"detection_name\": \"Detect ARP Poisoning\"\n }\n },\n {\n \"name\": \"Detect Rogue DHCP Server deployment configuration\",\n \"id\": \"6e4e20ac-e719-4ebe-a52d-d672cd451dbb\",\n \"date\": \"2020-08-14\",\n \"description\": \"This configuration file applies to the Detect Rogue DHCP Server detection\",\n \"author\": \"Mikael Bjerkeland\",\n \"scheduling\": {\n \"cron_schedule\": \"59 * * * *\",\n \"earliest_time\": \"-70m@m\",\n \"latest_time\": \"-10m@m\",\n \"schedule_window\": \"auto\"\n },\n \"alert_action\": {\n \"notable\": {\n \"rule_description\": \"DHCP Snooping has detected a Rogue DHCP Server on $orig_host$ from $src_mac$. This may be an indication of a MITM attack.\",\n \"rule_title\": \"Rogue DHCP Server Detected on $orig_host$\",\n \"nes_fields\": [\n \"src_mac\",\n \"firstTime\",\n \"lastTime\",\n \"count\",\n \"message_type\"\n ]\n }\n },\n \"tags\": {\n \"detection_name\": \"Detect Rogue DHCP Server\"\n }\n },\n {\n \"name\": \"Baseline Cache Hourly Updates\",\n \"id\": \"1030c701-2acf-4b1a-9970-46c7145caf2d\",\n \"date\": \"2020-06-24\",\n \"description\": \"This configuration file applies to all baselines with tag deployments Hourly Cache Updates\",\n \"author\": \"Bhavin Patel\",\n \"scheduling\": {\n \"cron_schedule\": \"55 * * * *\",\n \"earliest_time\": \"-70m@m\",\n \"latest_time\": \"-10m@m\",\n \"schedule_window\": \"auto\"\n },\n \"tags\": {\n \"deployments\": [\n \"Hourly Cache Updates\"\n ]\n }\n },\n {\n \"name\": \"90 Day Baseline Searches\",\n \"id\": \"6eac9f8b-a35d-4b64-b57f-e5ecde43be6b\",\n \"date\": \"2020-06-24\",\n \"description\": \"This configuration file applies to all baselines with tag deployments Long Running Baseline\",\n \"author\": \"Bhavin Patel\",\n \"scheduling\": {\n \"cron_schedule\": \"0 4 * * *\",\n \"earliest_time\": \"-90d@d\",\n \"latest_time\": \"-10m@m\",\n \"schedule_window\": \"auto\"\n },\n \"tags\": {\n \"deployments\": [\n \"90 Day Baseline\"\n ]\n }\n },\n {\n \"name\": \"Enterprise Security deployment configuration\",\n \"id\": \"bc91a8cd-35e7-4bb2-6140-e756cc46f212\",\n \"date\": \"2020-04-27\",\n \"description\": \"This configuration file applies to all correlation searches that are used for detection\",\n \"author\": \"Bhavin Patel\",\n \"scheduling\": {\n \"cron_schedule\": \"*/30 * * * *\",\n \"earliest_time\": \"-30m\",\n \"latest_time\": \"now\",\n \"schedule_window\": \"auto\"\n },\n \"alert_action\": {\n \"notable\": {\n \"rule_description\": \"%description%\",\n \"rule_title\": \"%name%\",\n \"nes_fields\": [\n \"user\",\n \"dest\",\n \"src\"\n ]\n }\n },\n \"tags\": {\n \"analytics_story\": \"all\"\n }\n }\n ],\n \"count\": 6\n}"}],"_postman_id":"86a7b75c-33c5-43cf-8e00-1f38299025ef"}],"id":"b99c623b-1414-47a4-8604-d441bed89880","event":[{"listen":"prerequest","script":{"type":"text/javascript","exec":[""],"id":"61222723-4be4-485d-b040-2f3ea76dbc55"}},{"listen":"test","script":{"type":"text/javascript","exec":[""],"id":"a1028564-11eb-4ee7-b6ec-da0efd07a10d"}}],"_postman_id":"b99c623b-1414-47a4-8604-d441bed89880","description":""},{"name":"/","id":"23e8bf3b-c270-4583-b903-6876c80bd17d","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"noauth","isInherited":false},"method":"GET","header":[],"url":"https://content.splunkresearch.com/","description":"

Welcome page

\n","urlObject":{"path":[""],"host":["https://content.splunkresearch.com"],"query":[],"variable":[]}},"response":[{"id":"c937427b-1a11-4bc4-87bf-91c17e8ad57d","name":"/","originalRequest":{"method":"GET","header":[],"url":"https://content.splunkresearch.com/"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Thu, 05 Nov 2020 08:29:18 GMT"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"60"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"b0ce98fe-f5a2-42c7-85c6-c18c1d099be2"},{"key":"Access-Control-Allow-Origin","value":"*"},{"key":"Access-Control-Allow-Headers","value":"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"},{"key":"x-amz-apigw-id","value":"VhmqyEgLvHcFejg="},{"key":"X-Amzn-Trace-Id","value":"Root=1-5fa3b7de-0568e60e5daf3e6d018682f5;Sampled=0"}],"cookie":[],"responseTime":null,"body":"{\n \"hello\": \"welcome to Splunks Research security content api\"\n}"}],"_postman_id":"23e8bf3b-c270-4583-b903-6876c80bd17d"},{"name":"/version","id":"96fbafee-0b20-4d5e-97b4-2f1afca30682","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"noauth","isInherited":false},"method":"GET","header":[],"url":"https://content.splunkresearch.com/version","description":"

Welcome page

\n","urlObject":{"path":["version"],"host":["https://content.splunkresearch.com"],"query":[],"variable":[]}},"response":[{"id":"b3ad4669-182e-41e6-aada-88af8d767775","name":"/version","originalRequest":{"method":"GET","header":[],"url":"https://content.splunkresearch.com/version"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Date","value":"Thu, 05 Nov 2020 08:29:29 GMT"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"67"},{"key":"Connection","value":"keep-alive"},{"key":"x-amzn-RequestId","value":"76d4a04c-5efa-49e1-a31c-2e0321301c0b"},{"key":"Access-Control-Allow-Origin","value":"*"},{"key":"Access-Control-Allow-Headers","value":"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"},{"key":"x-amz-apigw-id","value":"VhmscFgWPHcFSxw="},{"key":"X-Amzn-Trace-Id","value":"Root=1-5fa3b7e9-20dafb1511f35e7f36b6c6ab;Sampled=0"}],"cookie":[],"responseTime":null,"body":"{\n \"version\": {\n \"name\": \"v3.0.8\",\n \"published_at\": \"2020-10-20T22:29:36Z\"\n }\n}"}],"_postman_id":"96fbafee-0b20-4d5e-97b4-2f1afca30682"}],"event":[{"listen":"prerequest","script":{"type":"text/javascript","exec":[""],"id":"c1e9d3d8-bc24-4364-98cb-02863a310fa2"}},{"listen":"test","script":{"type":"text/javascript","exec":[""],"id":"2b2cc39a-e59e-4e77-a77b-da0c828d68b5"}}],"variable":[{"key":"baseUrl","value":"https://content.splunkresearch.com"}]}